We were alerted yesterday that one of our customers local to Goldsboro, North Carolina had been targeted in a very sophisticated and elaborate phishing scam. Phishing is a fraud that consists of targeting a victim into thinking they are communicating or interacting with a legitimate company in an effort to steal sensitive data such as passwords, financial data, or any other data that in some way benefits the attacker.
As we are aware of this situation, the fraudster contacted our customer masquerading as one of their customers, and when our unsuspecting customer tried downloading an attachment they were asked to enter their Microsoft login details to download the file. Upon doing so, it took only seconds for the pre-programmed bot the fraudster already had in place to login to our client’s Microsoft account and download all the data it could before the customer was notified by Microsoft of a suspicious login.
This kind of breach is the most dangerous because it is a breach into everything on the computer and connected with that Microsoft account including the very login to that PC as Microsoft now requires that all PC logins be “online” and connected to Microsoft’s website.
There are far more implications as well. Because Outlook is also connected to your Microsoft account and login details to our servers are saved in your Outlook, this breach could have also been a breach into our mail server limited and localized to the customer’s email account. That meant the fraudster now could have had access to every email the customer had ever sent to their clients.
Soon after the breach that went unnoticed by the customer, the fraudster created a domain name that mimicked the customer’s domain name. Imagine for a moment if your company’s domain name was “google.com”, and the fraudster registered “google.co” and began emailing the customers of our customer pretending to be our customer. The sophistication of this act was far greater than any breech we’ve been told about to date and we’ve seen some very sophisticated breeches from local businesses right here in Goldsboro.
The fraudster very tediously mimicked everything about the company including the owner’s constant carbon copying of his son in every email, but of course, his son never got that email because it was carbon copied to “email@example.com”.
After 2 weeks of gaining our customer’s customers trust, the fraudster made their move and began requesting the invoices be paid via ACH Debit. One of those customers of our customers reached out to our customer and wanted to know why they could no longer pay their invoices via check. The jig was up when our customer learned that emails were being received he didn’t send.
This is the point I was called. The customer believed that their email had been hacked. We quickly traced this breach back to the Microsoft breach from the phishing email and even found that our own email servers were too hardened for the attacker to break into even with the username and password through Outlook. Instead of logging directly into our email server, they had to resort to creating their own domain name to send emails from.
We want people to be very aware of how these scams work. As you read, paying close attention to the domain name is the best defense against phishing of any kind. Today, it is very hard to deliver email to a domain the email did not come from in an authorized manner because of SPF records, DMARC records, and other security features on DNS servers that alert mail servers to what IP addresses are authorized to send email from that domain name. Our servers are equipped with these security features as well as errant login detection that stops logins that doesn’t seem to be within the norms of a customer’s geographical location for logins. This has proven to be a valid defense which is why the fraudster was unable to login with the customer’s credentials. We are well aware that customers have complained about the minor inconveniences this has seldomly caused, but this security feature really did pay off in a big way in the past few weeks.
In hindsight, it’s always great to go over what went right and what went wrong; the basics of after-action problem solving that I was all too acquainted with from my time in the US Army. This could have been anyone and the likelihood of this happening to someone in the future is many orders higher than you even think – it’s 100%. Don’t think about “if it happens” think about “when it happens”. In this case, the customer made the right call to get help and that should be your first step. Upon contacting us, we’re going to step you through this process, the same process we have outlined in our company policy if we are ever breached: