Skip to main content

Phishing Attack. Clever!

During a recent board meeting I was informed that one or two of our larger clients (car manufacturers) demanded that our email passwords be renewed every month. Every bloody month! I hit the roof. Like a lot of people these days who live sleep eat and breath emails, I access them on every device possible including phones, tablets, laptops and other PCs. Each one would need the new password entered (assuming I could remember it!) 12 times a year. The world's gone mad. But despite the fact I own the company and therefore chair the board, I had no option. Comply or lose clients.

The next day I received the notification I was waiting for to renew my password. It was a typical Microsoft Exchange notification to click here and type in my current password which I duly did, followed by a web screen asking for my new password, which it confirmed had been changed. Now all I had to do was change the password in all my other devices which I would get around to doing later. Total pain in the whatever.

The next thing that happened was a call from my CEO asking if I'd requested a payment by our Financial Controller to a building company for several thousand pounds. Apparently I'd sent her an email asking if she'd rush it through.

I'd been hacked.

The password changing routine had obviously been a phishing exercise that thanks to my being alert (and still angry), I had reluctantly been waiting to happen. Of course I had received emails like this before, but this time the timing was unfortunate + the email and website it took me to were very convincing.

Luckily my team were on the ball - quite apart from them knowing I would never ask for personal expenses to be passed through my company. So we didn't lose any money. My email account was frozen and my password was immediately changed by our IT chaps, so no lasting damage done... except for one thing...

A few days later I received an email from the CEO replying to an email sent to the whole board by our Financial Controller - including me, but which I hadn't received. In fact after a number of tests, although I could send her emails, none of her replies came into my inbox.

The IT took a few days to find out what was going on but eventually they discovered that the Phishers had:
  1. Captured my password and logged into my email account through webmail
  2. Read enough emails to discover who controlled our payments
  3. Sent her an email from me requesting a payment
  4. Even more cunningly, they had also set up a rule that automatically forwards all emails to me, from her, into my RSS inbox (which no-one ever reads). So if she replied "OK" or something like that, which most people would have done to acknowledge they'd done what they were asked, I wouldn't be alerted to the fraud.
So all I had left to do was delete that rule from Outlook. But when I looked for it, it wasn't there...

Until I looked at the small print right at the bottom of the Outlook dialog window which said something like 'rules set up through webmail won't appear here'. Sure enough when I logged into my email account through webmail rather than Outlook on my laptop, there was the rule.

WHY?

Microsoft had assisted the fraud by ensuring I would be oblivious to the rule the fraudsters had set up. Who goes into their webmail? I only ever use it if I'm at a public terminal and I don't have one of my many devices at hand ready-loaded with a logged-in, and password-enabled email manager.

This does seem a daft state of affairs where rules in one version of Outlook aren't the same as the rules in Outlook.com - for the same email account. And dangerous for exactly the reason I had discovered.

Turns out, this constant password changing ritual is more of a danger to security than sticking with a sensible one in the first place. I would love to wake up in a world where passwords have been consigned to history and tech has found an easier and safer way to ensure I am who I say I am.


Comments

Popular posts from this blog

Phillips screws - yes I'm angry about them too

Don't get me wrong. They're a brilliant invention to assist automation and prevent screwdrivers from slipping off screw heads - damaging furniture, paintwork and fingers in the process. Interestingly they weren't invented by Mr Phillips at all, but by a John P Thompson who sold Mr P the idea after failing to commercialise it. Mr P, on the otherhand, quickly succeeded where Mr T had failed. Incredible isn't it. You don't just need a good idea, you need a great salesman and, more importantly, perfect timing to make a success out of something new. Actually, it would seem, he did two clever things (apart from buying the rights). He gave the invention to GM to trial. No-brainer #1. After it was adopted by the great GM, instead of trying to become their sole supplier of Phillips screws, he sold licenses to every other screw manufacturer in the world. A little of a lot is worth a great deal more than a lot of a little + vulnerability (watch out Apple!). My gromble is abo...

To kill or not to kill.

Had an interesting discussion with a Muslim friend today about the ethics of killing. Could it ever be morally justifiable? Abrahamic scriptures, especially the old testament, are awash with murders and killings, some sanctioned by the prophets and assorted mouthpieces for god. Some killing is even mandatory. For example all Jews are instructed in the old Testament to kill everyone belonging to the 7 Canaanite tribes for example - Deut 20:17 , or to slaughter Amaleks, especially their children - Deut 25:19 . So accepting for a moment that these draconian instructions were written in times when tribal leaders had fewer options available to them with respect to managing miscreants and maintaining some sort of law and order, I suspect that most people today would agree that killing people is a bad thing and should not be condoned except under extraordinary circumstances. My friend and I then proceeded to try to list those circumstances. We started with self-defence or perhaps protecti...

Successful Entrepreneurs Don't Aim to Make Money

Of course all entrepreneurs want to make lots of money. Who doesn't? But the difference between entrepreneurs who do make money and those who don't, is that successful ones don't focus on making money. They focus on building their businesses. And that relies on having an attitude of pouring any money their businesses do make, back into them, rather than rubbing their hands and taking it out as soon as they can. True entrepreneurs are gamblers and thrifty by nature. Given the choice of a holiday of a lifetime versus the chance to create a great business, they'll always choose the business - and take it for granted that if the business does eventually make surplus money, they can have that holiday - although entrepreneurs can become so hooked, holidays become a guilty wrench away from the businesses they need to protect. I didn't have a single days holiday, or off sick, for 10 years after I started my first business. I probably could have afforded it (in fact my wif...