The anatomy of a targeted email account hack

Image courtesy of FreeDigitalPhotosnet - Nerds On Site

Image courtesy of FreeDigitalPhotos.net


“OMG! My email is hacked!”
This is a true account of an email hack we’ve just witnessed and helped a client through. It all started with one of our client’s bank account manager calling our client (will call him Bob in this email):
Bank:

Bob, Happy New Year! We have received an email from your account that is asking for a lot of financial information. It looked suspicious, so I wanted to confirm if you really are asking this?

Bob:

Thank you for calling but no, I did not ask for that.

It was very clear to Bob that something was very wrong with his email account. The easiest thing was to write it off as a spam message where the sender had faked the FROM address and it had made it through the bank’s SPAM filter. But that’s actually hard to do anymore. Bob decided to take immediate action, which turned out to be very wise.
The next call from Bob was to his staff and our support team to find out what happened, and the following timeline is what we discovered.
11:45am – The Banker calls Bob with the verification conversation outlined above
11:55am – Bob calls his staff to find out what’s going on
12:00pm – A call is placed by Bob’s staff to Nerds On Site for support
12:22pm – Due to the nature of the request, I (David) attempted to reach Bob directly to offer some immediate action, but Bob is on the road with poor mobile coverage
01:19pm – I get an email myself from Bob that looks like this:

Screen Shot of an email from Bob to me - Nerds On Site

Screen Shot of an email from Bob to me


01:22pm – Bob is able to call me back and at this point he’s had several more people call him to advise him they’re getting emails from him that appear to be suspect, we immediately take action including:

    • Immediate password reset (after confirming with Bob that this would be ok, of course)

 

    • Logged into Bob’s account on Google Apps with the new password

 

  • Checked the “Details” link (at the bottom right of all Google Apps or Gmail accounts) which showed an active session from Malaysia as shown here:

GAActivitySignout - Nerds On Site

  • Logged out the Malaysia session to disable any further unauthorized activity (it is important to note that just because the session shows the browser is in Malaysia, it is highly unlikely it is the real culprit as hackers have methods of covering their tracks)

 
01:38pm – I start getting other nerds’ alerts (ones that have worked with Bob before) that something is wrong with Bob’s email because they’re getting phishing emails from Bob. I update them to advise the account has been fixed.
01:50pm – Since the immediate correction of the account access has been completed, we begin further investigation and determine the following:

    • The “Click here” link in the email goes to a URL of the domain archivex-ht.tk which is registered in Tokelau

 

    • The actual website is hosted by a web hosting provider in Tempe, Arizona

 
03:42pm – Bob receives our full summary of our investigation, actions and next steps for protection reasons. Included is a warning that Bob should assume the attackers downloaded his full address book and all of his email history. The attackers can take their time now and build a full comprehensive picture around his life and continue to target him for years to come. Admittedly, this is horrible news, but pretending it’s over would be foolish.
03:56pm – We take further action to notify the web hosting provider that they are hosting a phishing website
04:21pm – Finally the Firefox built-in Phishing and Malware Protection was catching the embedded link as a web forgery as you can see here:
Screen Shot 20130102 at 41915 PM - Nerds On Site
A couple of questions Bob had for me today:

  1. Why was it not spam?

Answer: Junk-mail flagging algorithms take many factors into consideration. The strongest influence is found in the headers of the message, which is the technical/diagnostic information behind each email message that shows a “trace” of a message. In this particular case, it was a legitimate account operated by a hacker. Algorithms don’t catch those immediately, but after contents start getting flagged by other recipients, then the algorithm catches up.

  • What have the thieves done to cover their tracks?

 
Answer: Hackers will use multiple methods to cover their tracks and maximize the mileage they obtain at your expense. In this case they did the following:

  • Immediately deleted (and emptied trash) of sent emails
  • Deleted all contacts (to make it easier harder for the legitimate account holder to send a warning message to everyone in the address book)
  • Often times, attackers use technologies such as TOR (The Onion Router) to mask their true origins and identities

 

  • You recommended further securing my account – how do we do that?

 
In my written recommendation, I included every step that Google recommends in their Gmail Security checklist, and indicated which ones required action on his own part.
 

  • How do I get my contacts back that the hacker(s) wiped out?

 
One of the advantages of being on Google Apps for Business is the automatic regular backup of contacts Google does on your behalf. As you can see here, you can go back to a point in time up to 30 days in the past to restore your contact list:

Screen Shot of how you can Restore Contacts - Nerds On Site

Screen Shot of how you can Restore Contacts


We simply restored the contact list to a backup from two days ago, and Bob carefully verified that it is complete and accurate.

  • How did the attacker get my password?

 
Answer: We may never know how Bob’s password was compromised. We do know it was compromised, though. Bob’s password had mixed lower and upper case characters and included a non-alphabet character, even. Here are some possibilities of how his password was compromised:

    • Bob’s password was only 7 characters long, so it’s entirely possible it was brute-forced (trying any/every combination)

 

    • Bob may have used the same password on previously-compromised sites (LinkedIn, DropBox, so many services have had compromises this past year)

 

  • We ruled out clear-text usage, which means non-encrypted passwords were used when using a public hotspot (this was ruled out because https is enforced for webmail and IMAP4S is also enforced

If there is one single lesson from this for everyone (at least everyone on Google Apps), it is to enable 2-step authentication. This ensures that even if an attacker has your password, they won’t be able to do anything unless they also have your verified mobile phone.
Please protect yourself and let us know if we can help. The link for Gmail and Google Apps users is here:
https://support.google.com/accounts/bin/answer.py?hl=en&answer=180744
UPDATE#1: If you are not on Google Apps, at the very least apply a very strong password to your account. It may be a good time to learn about how to make a safe computer password here:
https://abclocal.go.com/kabc/story?section=news/consumer&id=8361856

Homepage: Nerds On Site

Blog Home: Blog

Artile: The anatomy of a targeted email account hack

Sort By Category