Skip to main content

Phishing Attack. Clever!

During a recent board meeting I was informed that one or two of our larger clients (car manufacturers) demanded that our email passwords be renewed every month. Every bloody month! I hit the roof. Like a lot of people these days who live sleep eat and breath emails, I access them on every device possible including phones, tablets, laptops and other PCs. Each one would need the new password entered (assuming I could remember it!) 12 times a year. The world's gone mad. But despite the fact I own the company and therefore chair the board, I had no option. Comply or lose clients.

The next day I received the notification I was waiting for to renew my password. It was a typical Microsoft Exchange notification to click here and type in my current password which I duly did, followed by a web screen asking for my new password, which it confirmed had been changed. Now all I had to do was change the password in all my other devices which I would get around to doing later. Total pain in the whatever.

The next thing that happened was a call from my CEO asking if I'd requested a payment by our Financial Controller to a building company for several thousand pounds. Apparently I'd sent her an email asking if she'd rush it through.

I'd been hacked.

The password changing routine had obviously been a phishing exercise that thanks to my being alert (and still angry), I had reluctantly been waiting to happen. Of course I had received emails like this before, but this time the timing was unfortunate + the email and website it took me to were very convincing.

Luckily my team were on the ball - quite apart from them knowing I would never ask for personal expenses to be passed through my company. So we didn't lose any money. My email account was frozen and my password was immediately changed by our IT chaps, so no lasting damage done... except for one thing...

A few days later I received an email from the CEO replying to an email sent to the whole board by our Financial Controller - including me, but which I hadn't received. In fact after a number of tests, although I could send her emails, none of her replies came into my inbox.

The IT took a few days to find out what was going on but eventually they discovered that the Phishers had:
  1. Captured my password and logged into my email account through webmail
  2. Read enough emails to discover who controlled our payments
  3. Sent her an email from me requesting a payment
  4. Even more cunningly, they had also set up a rule that automatically forwards all emails to me, from her, into my RSS inbox (which no-one ever reads). So if she replied "OK" or something like that, which most people would have done to acknowledge they'd done what they were asked, I wouldn't be alerted to the fraud.
So all I had left to do was delete that rule from Outlook. But when I looked for it, it wasn't there...

Until I looked at the small print right at the bottom of the Outlook dialog window which said something like 'rules set up through webmail won't appear here'. Sure enough when I logged into my email account through webmail rather than Outlook on my laptop, there was the rule.

WHY?

Microsoft had assisted the fraud by ensuring I would be oblivious to the rule the fraudsters had set up. Who goes into their webmail? I only ever use it if I'm at a public terminal and I don't have one of my many devices at hand ready-loaded with a logged-in, and password-enabled email manager.

This does seem a daft state of affairs where rules in one version of Outlook aren't the same as the rules in Outlook.com - for the same email account. And dangerous for exactly the reason I had discovered.

Turns out, this constant password changing ritual is more of a danger to security than sticking with a sensible one in the first place. I would love to wake up in a world where passwords have been consigned to history and tech has found an easier and safer way to ensure I am who I say I am.


Comments

Popular posts from this blog

Phillips screws - yes I'm angry about them too

Don't get me wrong. They're a brilliant invention to assist automation and prevent screwdrivers from slipping off screw heads - damaging furniture, paintwork and fingers in the process. Interestingly they weren't invented by Mr Phillips at all, but by a John P Thompson who sold Mr P the idea after failing to commercialise it. Mr P, on the otherhand, quickly succeeded where Mr T had failed. Incredible isn't it. You don't just need a good idea, you need a great salesman and, more importantly, perfect timing to make a success out of something new. Actually, it would seem, he did two clever things (apart from buying the rights). He gave the invention to GM to trial. No-brainer #1. After it was adopted by the great GM, instead of trying to become their sole supplier of Phillips screws, he sold licenses to every other screw manufacturer in the world. A little of a lot is worth a great deal more than a lot of a little + vulnerability (watch out Apple!). My gromble is abo

Norman's Autobiography

The following is an unfinished autobiography written by my father who passed away earlier this week at the age of 93. Cheerbye Dad (you were the only person I knew to use this expression). You were a huge influence on my life. Thanks for taking the time to record so much that I never knew about your own life and those of our immigrant ancestors. Dad's the one in the middle ;-) The HorBraJacSac Saga by Norman Horwood  9th June 1926 (or possibly earlier!) - 27th June 2019 The Families' Backgrounds. We have four families; Abrahams/Horowitz/Horwood; Bralofsky/Braley; Jacobs and Tchaikofsky/Sacof. Taking my pair, the (Abrahams) Horowitzs/Horwood and the (Bralofskys) Braleys. They escaped from different parts of "Mittel Europe" at different times. Abraham and Rachel Abrahams, nee Gess, (Horowitz), had been in England longer than the Bralofskys, having come here from Lithuania in about 1897 as a married couple without children. It is certain that Abraham

Prepare for Alien Contact

I've not gone barking mad or joined some weird religious cult (aren't they all?). But I do predict that we will make contact with intelligences from other planets soon. Here's my reasoning: There are approximately 100,000,000,000 stars in our galaxy (easy way to remember this order of magnitude is it's one hundred, thousand, million). Usefully there are also approximately the same number of galaxies in the universe. And assuming every star has about the same number of planets orbiting it as our Sun, and that the Milky Way is an average size of galaxy, that means there are around 100,000,000,000,000,000,000,000 planets in the universe. A lot. Scientists have long debated the probability of life, as we would recognise it - reproducing, eating, etc - existing outside Earth. Most agree mathematically that it's a certainty. What they did was take all the components they believed were required for life to have evolved on Earth and then extrapolate what they know about