7/12/2023 0 Comments How a scammer hijacked this client's emails - even after she changed her passwordYesterday, I spent time with a client who had been the victim of scammers/hackers a few days ago. Her email account had been accessed by a hacker, and this hacker sent emails from her email account to a large number of her contacts. The emails pretended to be from her, and asked these people for a favour involving a relatively small amount of money. But it was not just the sending of these scam emails to her friends and family (and other contacts) that was the problem. It was what the hacker left behind that was really concerning. If you are ever hacked, it is important to know that changing your password is not necessarily the full solution. The hacker may still have access to your incoming emails, even though they can't directly access your email account. Firstly, how did the scammers get access to her email account? Let's call this client Jane. Jane is not sure what she did wrong, but she was probably caught out by a phishing email - where she clicked a link in a scam email and signed into a fake site, giving away her email address and password combination. Or it may be that her email address and password combination were part of a stolen list on the dark web. Unfortunately, she didn't have two-factor authentication set up for her email account - so the email address and password were enough for the hacker to access her email account via a web browser, from anywhere in the world. Emails sent by hacker asking for a 'quick favour'Once they hacker gained access to her email account, they sent an email to a large number of her contacts - people who were stored in her account's Contacts, and those with whom she had previously communicated via that email account. I have included the 'conversation' the hacker had with one of Jane's contacts (let's call him Fred) below. (All names and any identifying information have been changed in this transcript.) As you can see, the first email simply asked each of the recipients for 'a quick favour'. When 'Fred' responded to this simple request, the hacker (posing as Jane) asked Fred if he could get an Apple gift card for 'her' to give to a friend who has cancer. It is a long, convoluted request - which, one would hope, might trigger alarm bells. It did for many people, who called Jane to ask what was going on (especially those who knew she wasn't travelling!) and to alert her to the problem. I'll let you read the transcript, then continue the saga under that. (Note that the scammer's messages as 'Jane' are represented in red.) Transcript of one of the email conversations with the hacker
Did any contacts fall for the scam?Luckily, 'Fred' was alerted to this being a scam before he purchased any gift card. Another person was also about to purchase, but was also alerted just in time. At the time Jane and I spoke, she had not heard if any other recipients had fallen for the scam. In fact, until our appointment, she had no way of working out who received the scam email, since her account's 'Sent' mail had been cleared of the messages that were sent by the hacker. All she had to go by were the texts and calls that she had received en masse on the day of the hacking. Emails were then not being receivedJane came to see me because, even though she had secured her account as quickly as possible by changing her password, she had not received any new emails on her iPad or iPhone - even after providing the new password in the Mail apps on those devices. So the first thing we did was sign in to her email account via a web browser. We found that the Inbox we saw via the web browser match that on the iPad and iPhone, so all was well with the setup on her iPad and iPhone. But it seemed impossible that she would have received NO emails for over 2 days Emails were hidden away!A closer look at the email account identified that the latest emails - received since the hacking incident - were actually in a folder/mailbox called Conversation History, instead of in the Inbox. She had definitely not moved them there. In that folder, she found a very long list of emails from her contacts - people who replied to the hacker's 'ask a favour' email to ask whether it was really her sending that email. The hacker (of course) saw these replies, but she did not. How did the emails get to that hidden place?If she didn't move the emails to Conversation History, how did they get there? How was it she got no notifications of new messages arriving? We checked the Settings for her email account (which is a Microsoft hosted account, accessed via the website outlook.live.com), specifically looking at the Rules option in Settings - just to check if there was anything strange there. Rules allow you to automatically carry out action/s when an email is received - including moving emails out of Inbox and into an alternative folder. This is exactly what the scammers had set up. All her incoming emails were being moved to the Conversation History folder immediately, leaving her Inbox looking like there had not been any new mail. An extra nasty sting in the hacker's RuleBut there was something really nasty that we also saw in that Rule. Not only had the hacker set the emails to move out of the Inbox - they had also set the incoming mail to forward to an alternative email address, janesmith@outlook.com. We had to do a double-take, because it looked so much like her own email address - simply replacing the msn.com suffix with outlook.com. But she doesn't own that other outlook.com email address. Even though both msn.com and outlook.com emails are hosted by Microsoft, they are actually totally different email addresses. So janesmith@msn.com is a totally different email address entirely to janesmith@outlook.com. (I had to look that one up, because I thought one might be an alias for the other.) So this means that the hacker had been receiving all her incoming emails (mail that she wasn't seeing) even after she changed her password and locked them out of her account. Hacker can now engage with Jane's contacts, pretending to be herNot only that, the fact that the fake email address is almost the same as her real one leads me to assume that the hacker will most likely engage with her contacts from that other email address, pretending to be her. This could happen at any time in future. It would be really hard to tell by looking at the 'From' email address that the email is not from the real Jane. What can this client do?The first thing this client needed to do was set up multi-factor authentication on her email account, so that her password is not enough to provide access to the email account in future. Given the situation with the fake email address - and the fact that many of her contacts received previous scam emails from her real email account - I suggested to her that she needs to email all of her contacts to advise them that she has been hacked, that they may have already received one or more scam emails from her own email address, and to warn them about the potential for future scam emails that appear to come from her, from that other email address. We drafted an email for her to send to each of the people/organisations in her emails/contacts. (Sorting the mailboxes in order of 'From' helped to identify the people with whom she corresponds, because not everyone was found to be in her account's Contacts.) She will also report that scam email account to Microsoft, to see if they can do anything about it - a process that we kicked off while she was here. The longer a hacker has access, the more damage they can doIf a hacker has prolonged access to an email account, there is also so much more they can do. For example, for certain types of online accounts, they may be able to reset passwords - by requesting a password reset code be sent to the email account. Sometimes, they 'camp out' in the email account, silently waiting for a correspondence that relates to a payment request, to a bank account. They then hijack that email to insert fake bank account details in the email received by one party or the other, so the payment goes to the wrong person. This is known as a 'man in the middle' attack. Some people include credit card details in emails that they send to others. A hacker can find such information in your emails. (Tip: Never send credit card details in emails or messages.) The hacker may also trawl through your emails for other identity information, and steal your identity. Using information found in your emails, they may try to hack other accounts. Depending on what they find in your emails, they could even try to blackmail you. And, of course, they can engage with people and pretend they are you. If you have been (or suspect you have been) hackedscamwatch_cheat_sheet_2.pdfHere is a downloadable information sheet that I put together for client recently, incorporating information from the Scamwatch website (scamwatch.gov.au) as well as some other tips and suggestions. You will see it talks about what to do if you have been scammed - which may include contacting IDCARE, Scamwatch, the Police, your bank, Credit Reporting agencies, and your contacts. It also has tips on how to avoid being scammed, and includes a link to a really handy resource from Scamwatch, The Little Black Book of Scams. iTandCoffee can helpIf you need support after being the victim of a scam - or to perhaps to secure your account to minimise your chance of becoming a victim of a scam - make a time with iTandCoffee here or email bookings@itandcoffee.com.au.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
What's on at iTandCoffee ?Below is our list of videos, classes and other events that are coming up soon.
Videos shown are offered for eligible members of the iTandCoffee Club. If you have questions, why not join fun and informative 'user group' meetings, held once a month. All iTandCoffee classes are run as online classes (using Zoom), which means you can attend from anywhere. |
27 Sycamore St, Camberwell, Victoria Australia
Call +61 444 532 161 or 1300 885 320
to book an appointment or class, or to enquire about our services and products
SENIORS CARD WELCOME HERE:
Seniors Card holders qualify for a 10% discount on all classes booked and paid for online (excludes PTT sessions and classes already discounted during COVID-19 crisis). To activate the discount at the time of booking, select Redeem Coupon or Gift Certificate and enter 10OFFSEN before selecting Pay Now. |
© 2012-2024 iTandCoffee Pty Ltd. All rights reserved ACN: 606 340 434