Received a call this week from a client. The issues they were having were as follows.
1: Not receiving any email.
2: Calls from friends and aquaintances that they were receiving strange emails from my client requesting help obtaining a $200 gift card for their nephew and if my client would purchase the gift card they would gladly pay them back when they got back to town.
3: Believing that their email account had been compromised, they attempted to reset the password but were unable to get a reset code from the their email provider.
So where do we go from here. I opened their email program and sent a test message to my account and it went through with no problem. I then clicked on Reply and saw immediately that the reply to email address was not theirs. It was close but no cigar. This was the secret sauce that allowed me to determine the issues.
How a hacker got their credentials to the email account may never be known. Most likely they received an official looking request purportedly from their email provider asking them to verify their account by logging in and providing a very pretty button to click that took them to a spoofed page that looked like their email providers login page. Once they entered their username and password the hacker had it.
Next the hacker logged into their email account, went to settings and made some changes. First the piece of scum changed the default “Reply to Address” from my client’s email to his spoofed email account so that any one that received a strange email from my client, if they clicked on reply to respond to the email, that response went to the hacker and not to my client.
Next he set up “Forwarding” so that all emails that came to my client were automatically forwarded to the cyberpunk. This way he could over time determine who my client banked with, utility bills, friends, family etc.
Then this garbage crook turned on Vacation Response so that anyone emailing my client would receive a response that my client was out of town and couldn’t reply at this time.
Finally, this waste of life, created an Email Rule that automatically archived all incoming emails. Consequently my client believed that he was not receiving any emails because they didn’t go to the inbox but went to the archive folder.
After correcting all the false settings, we were able to reset the password for the account. Next we turned on two-factor authentication. What this does in my client’s case, is that when anyone logs into the email from anywhere other than his main computer or his phone, the email provider sends a code via text message to my client’s phone which has to entered into the login screen within a short period of time.
This way, even if a hacker were to get hold of the username and password of the account, and then tried to log in from, oh let’s say, Pakistan, the hacker would be required to enter the authentication code which appeared on my client’s phone and not in Pakistan. Without the code, the email account would stay locked and the hacker denied access.
Be extremely vary of official looking emails requesting that you login or your account is or will be locked, suspended, deleted etc. Your email provider already has this information and certainly doesn’t need it from you. If you really think it is a legitimate request, surf to your actual providers page and log in there. DO NOT press the button in the email that says Verify, or Log in.
And please consider setting up two-factor authentication. It’s for your safety!
Bits & Bytes 