Skip to main content

Phishing Attack. Clever!

During a recent board meeting I was informed that one or two of our larger clients (car manufacturers) demanded that our email passwords be renewed every month. Every bloody month! I hit the roof. Like a lot of people these days who live sleep eat and breath emails, I access them on every device possible including phones, tablets, laptops and other PCs. Each one would need the new password entered (assuming I could remember it!) 12 times a year. The world's gone mad. But despite the fact I own the company and therefore chair the board, I had no option. Comply or lose clients.

The next day I received the notification I was waiting for to renew my password. It was a typical Microsoft Exchange notification to click here and type in my current password which I duly did, followed by a web screen asking for my new password, which it confirmed had been changed. Now all I had to do was change the password in all my other devices which I would get around to doing later. Total pain in the whatever.

The next thing that happened was a call from my CEO asking if I'd requested a payment by our Financial Controller to a building company for several thousand pounds. Apparently I'd sent her an email asking if she'd rush it through.

I'd been hacked.

The password changing routine had obviously been a phishing exercise that thanks to my being alert (and still angry), I had reluctantly been waiting to happen. Of course I had received emails like this before, but this time the timing was unfortunate + the email and website it took me to were very convincing.

Luckily my team were on the ball - quite apart from them knowing I would never ask for personal expenses to be passed through my company. So we didn't lose any money. My email account was frozen and my password was immediately changed by our IT chaps, so no lasting damage done... except for one thing...

A few days later I received an email from the CEO replying to an email sent to the whole board by our Financial Controller - including me, but which I hadn't received. In fact after a number of tests, although I could send her emails, none of her replies came into my inbox.

The IT took a few days to find out what was going on but eventually they discovered that the Phishers had:
  1. Captured my password and logged into my email account through webmail
  2. Read enough emails to discover who controlled our payments
  3. Sent her an email from me requesting a payment
  4. Even more cunningly, they had also set up a rule that automatically forwards all emails to me, from her, into my RSS inbox (which no-one ever reads). So if she replied "OK" or something like that, which most people would have done to acknowledge they'd done what they were asked, I wouldn't be alerted to the fraud.
So all I had left to do was delete that rule from Outlook. But when I looked for it, it wasn't there...

Until I looked at the small print right at the bottom of the Outlook dialog window which said something like 'rules set up through webmail won't appear here'. Sure enough when I logged into my email account through webmail rather than Outlook on my laptop, there was the rule.

WHY?

Microsoft had assisted the fraud by ensuring I would be oblivious to the rule the fraudsters had set up. Who goes into their webmail? I only ever use it if I'm at a public terminal and I don't have one of my many devices at hand ready-loaded with a logged-in, and password-enabled email manager.

This does seem a daft state of affairs where rules in one version of Outlook aren't the same as the rules in Outlook.com - for the same email account. And dangerous for exactly the reason I had discovered.

Turns out, this constant password changing ritual is more of a danger to security than sticking with a sensible one in the first place. I would love to wake up in a world where passwords have been consigned to history and tech has found an easier and safer way to ensure I am who I say I am.


Comments

Popular posts from this blog

Phillips screws - yes I'm angry about them too

Don't get me wrong. They're a brilliant invention to assist automation and prevent screwdrivers from slipping off screw heads - damaging furniture, paintwork and fingers in the process. Interestingly they weren't invented by Mr Phillips at all, but by a John P Thompson who sold Mr P the idea after failing to commercialise it. Mr P, on the otherhand, quickly succeeded where Mr T had failed. Incredible isn't it. You don't just need a good idea, you need a great salesman and, more importantly, perfect timing to make a success out of something new. Actually, it would seem, he did two clever things (apart from buying the rights). He gave the invention to GM to trial. No-brainer #1. After it was adopted by the great GM, instead of trying to become their sole supplier of Phillips screws, he sold licenses to every other screw manufacturer in the world. A little of a lot is worth a great deal more than a lot of a little + vulnerability (watch out Apple!). My gromble is abo

Would we pay more for their stuff?

I'm confused. Brexiters argue the Germans, Italians and French will still want to sell us their cars, so continued free trade with the UK is in their best interests. But we'll have to negotiate this (with an EU unwilling to make leaving easy) by threatening to make their cars more expensive for British people to buy. We'll do this because WE need to make imports more expensive to try to restore our balance of payments. Are Brits prepared to pay more for their Audis, Fiats and Renaults in order to make British cars more appealing, or do Brexiters want to pay more in order to punish them for taxing our insurance and banking products? Either way, imports will cost more. While in the EU, we buy their cars because we like the choice and don't want our own government to tax them. Indeed it would be better for British car manufacturing if we went back to the good old days of being encouraged to buy cheaper British cars (made by foreign owned factories). Is that what Brexite

Brilliant Inspiring Statues