How a scammer hijacked this client's emails - even after she changed her password

Yesterday, I spent time with a client who had been the victim of scammers/hackers a few days ago. 

Her email account had been accessed by a hacker, and this hacker sent emails from her email account to a large number of her contacts.

The emails pretended to be from her, and asked these people for a favour involving a relatively small amount of money. But it was not just the sending of these scam emails to her friends and family (and other contacts) that was the problem.

It was what the hacker left behind that was really concerning. If you are ever hacked, it is important to know that changing your password is not necessarily the full solution.

The hacker may still have access to your incoming emails, even though they can't directly access your email account. 

Firstly, how did the scammers get access to her email account? ​

Let's call this client Jane. Jane is not sure what she did wrong, but she was probably caught out by a phishing email - where she clicked a link in a scam email and signed into a fake site, giving away her email address and password combination. Or it may be that her email address and password combination were part of a stolen list on the dark web. 

Unfortunately, she didn't have two-factor authentication set up for her email account - so the email address and password were enough for the hacker to access her email account via a web browser, from anywhere in the world.

Emails sent by hacker asking for a 'quick favour'

Once they hacker gained access to her email account, they sent an email to a large number of her contacts - people who were stored in her account's Contacts, and those with whom she had previously communicated via that email account.

I have included the 'conversation' the hacker had with one of Jane's contacts (let's call him Fred) below. (All names and any identifying information have been changed in this transcript.)

As you can see, the first email simply asked each of the recipients for 'a quick favour'.

When 'Fred' responded to this simple request, the hacker (posing as Jane) asked Fred if he could get an Apple gift card for 'her' to give to a friend who has cancer. It is a long, convoluted request - which, one would hope, might trigger alarm bells. It did for many people, who called Jane to ask what was going on (especially those who knew she wasn't travelling!) and to alert her to the problem. 

I'll let you read the transcript, then continue the saga under that. (Note that the scammer's messages as 'Jane' are represented in red.)

Transcript of one of the email conversations with the hacker

From: Jane <[email protected]>
Sent: Tuesday, 5 December 2023 11:01 AM
Subject: Catch up

Hi
I hope you are fine? Can i ask for a quick favour
Jane
_________

From: Fred Citizen <[email protected]>
Sent: Tuesday, 5 December 2023 11:31 AM
To: Jane <[email protected]>
Subject: Re: Catch up

Hi Jane
Happy to help. Fred
__________

From:  Jane <[email protected]>
Sent: Tuesday, 5 December 2023 12:44 PM
To: Fred Citizen <[email protected]>
Subject: Re: Catch up
 
Sorry for bothering you with this mail, I need to get an Apple gift card for my friend who is down with cancer of the liver, it's her birthday today and I promised to make her happy with this but I can't do it now because I'm currently traveling and i tried purchasing online but unfortunately no luck with that.
Can you please get it from any store around you or online? I'll refund you upon my arrival.

Kindly let me know if you can handle this.
Awaiting your response
Regards
Jane
__________

From: Fred Citizen <[email protected]>
Sent: Tuesday, 5 December 2023 11:59 AM
To: Jane <[email protected]>
Subject: Re: Catch up
 
I can hopefully pick up a card around 4.00pm from Office Works. Whose name do you want on the card and whats the $amount.
Fred
__________

From: Jane <[email protected]>
Sent: Tuesday, 5 December 2023 1:08 PM
To: Fred Citizen <[email protected]>
Subject: Re: Catch up

Thank you so much. I want you to get 1 Apple gift card of $200 each you can order the gift cards to my email ([email protected]) and forward the order confirmation to me once done

the delivery date should be "now" so it will be delivered 5 mins after been ordered

message I want is "Happy Birthday you deserve the very best on this day".

Let me know how soon you can handle this, awaiting your response
__________

Did any contacts fall for the scam?

Luckily, 'Fred' was alerted to this being a scam before he purchased any gift card. Another person was also about to purchase, but was also alerted just in time.

At the time Jane and I spoke, she had not heard if any other recipients had fallen for the scam. In fact, until our appointment, she had no way of working out who received the scam email, since her account's 'Sent' mail had been cleared of the messages that were sent by the hacker. All she had to go by were the texts and calls that she had received en masse on the day of the hacking.

Emails were then not being received

Jane came to see me because, even though she had secured her account as quickly as possible by changing her password, she had not received any new emails on her iPad or iPhone - even after providing the new password in the Mail apps on those devices.

So the first thing we did was sign in to her email account via a web browser. We found that the Inbox we saw via the web browser match that on the iPad and iPhone, so all was well with the setup on her iPad and iPhone. But it seemed impossible that she would have received NO emails for over 2 days

Emails were hidden away!

A closer look at the email account identified that the latest emails - received since the hacking incident - were actually in a folder/mailbox called Conversation History, instead of in the Inbox. She had definitely not moved them there.

In that folder, she found a very long list of emails from her contacts - people who replied to the hacker's 'ask a favour' email to ask whether it was really her sending that email. The hacker (of course) saw these replies, but she did not. ​

How did the emails get to that hidden place?

If she didn't move the emails to Conversation History, how did they get there? How was it she got no notifications of new messages arriving?

We checked the Settings for her email account (which is a Microsoft hosted account, accessed via the website outlook.live.com), specifically looking at the Rules option in Settings - just to check if there was anything strange there.

Rules allow you to automatically carry out action/s when an email is received - including moving emails out of Inbox and into an alternative folder.

This is exactly what the scammers had set up. All her incoming emails were being moved to the Conversation History folder immediately, leaving her Inbox looking like there had not been any new mail. ​

An extra nasty sting in the hacker's Rule

But there was something really nasty that we also saw in that Rule.

Not only had the hacker set the emails to move out of the Inbox - they had also set the incoming mail to forward to an alternative email address, [email protected]. We had to do a double-take, because it looked so much like her own email address - simply replacing the msn.com suffix with outlook.com. But she doesn't own that other outlook.com email address.

Even though both msn.com and outlook.com emails are hosted by Microsoft, they are actually totally different email addresses. So [email protected] is a totally different email address entirely to [email protected]. (I had to look that one up, because I thought one might be an alias for the other.) 

So this means that the hacker had been receiving all her incoming emails (mail that she wasn't seeing) even after she changed her password and locked them out of her account. ​

Hacker can now engage with Jane's contacts, pretending to be her

Not only that, the fact that the fake email address is almost the same as her real one leads me to assume that the hacker will most likely engage with her contacts from that other email address, pretending to be her. This could happen at any time in future.

It would be really hard to tell by looking at the 'From' email address that the email is not from the real Jane.

What can this client do?

The first thing this client needed to do was set up multi-factor authentication on her email account, so that her password is not enough to provide access to the email account in future.

Given the situation with the fake email address - and the fact that many of her contacts received previous scam emails from her real email account - I suggested to her that she needs to email all of her contacts to advise them that she has been hacked, that they may have already received one or more scam emails from her own email address, and to warn them about the potential for future scam emails that appear to come from her, from that other email address.

We drafted an email for her to send to each of the people/organisations in her emails/contacts. (Sorting the mailboxes in order of 'From' helped to identify the people with whom she corresponds, because not everyone was found to be in her account's Contacts.)

She will also report that scam email account to Microsoft, to see if they can do anything about it - a process that we kicked off while she was here.

The longer a hacker has access, the more damage they can do

If a hacker has prolonged access to an email account, there is also so much more they can do.

For example, for certain types of online accounts, they may be able to reset passwords - by requesting a password reset code be sent to the email account.

Sometimes, they 'camp out' in the email account, silently waiting for a correspondence that relates to a payment request, to a bank account. They then hijack that email to insert fake bank account details in the email received by one party or the other, so the payment goes to the wrong person. This is known as a 'man in the middle' attack.

Some people include credit card details in emails that they send to others. A hacker can find such information in your emails. (Tip: Never send credit card details in emails or messages.)

The hacker may also trawl through your emails for other identity information, and steal your identity. Using information found in your emails, they may try to hack other accounts.

Depending on what they find in your emails, they could even try to blackmail you.

And, of course, they can engage with people and pretend they are you.

If you have been (or suspect you have been) hacked

scamwatch_cheat_sheet_2.pdfHere is a downloadable information sheet that I put together for client recently, incorporating information from the Scamwatch website (scamwatch.gov.au) as well as some other tips and suggestions.

You will see it talks about what to do if you have been scammed - which may include contacting IDCARE, Scamwatch, the Police, your bank, Credit Reporting agencies, and your contacts. It also has tips on how to avoid being scammed, and includes a link to a really handy resource from Scamwatch, The Little Black Book of Scams.

iTandCoffee can help

If you need support after being the victim of a scam - or to perhaps to secure your account to minimise your chance of becoming a victim of a scam - make a time with iTandCoffee here or email [email protected].