This week we want to put out a warning about a particularly sneaky email hack that we’ve started seeing circulate. It highlights one of the biggest vulnerabilities in any IT infrastructure: the human beings. In this particular scheme, the tactic being used is almost entirely what we refer to as “social engineering”… basically using human nature to trick people into giving away confidential information.
The short version of this article is this: beware of any links that get sent to you via email or in a text.
If you receive an email, even from a “known” source, asking you to click a link to share or sign a document, first stop and ask yourself a few questions:
- Am I expecting anything from this person?
- Does this person usually send this kind of thing?
- What’s my gut say?
Then before going ahead:
- Doublecheck the link by hovering over it before clicking.
- Log into your Office 365 or Docusign account by going to the login page directly rather than by clicking on the link.
- Consider investing two minutes of your time to either phone or text the sender to verify if the email was legitimate.
If you have the least bit of suspicion, delete the email or text. If it turns out to be legitimate, it can always be resent.
So what’s this latest scheme look like?
As mentioned before, what’s really sneaky about this latest scheme is that it may not even involve any malware. In other words, there is nothing for traditional anti-virus software to detect, even the latest in “smart” malware detection.
The first step is that the hackers break into a legitimate website, but then they do absolutely nothing noticeable to the site. The now-compromised host site continues working completely normally. Instead, the hackers hide a fake webpage within the site that looks like an Office 365 login page or Docusign page. But because the host website is completely legitimate, it will not necessarily register with anti-malware software as a problem.
The second step is to send out an email directing people to the hidden fake webpage. Once there, anyone who types in their username and password, thinking it’s an actual Office 365 login page for example, has basically handed over the keys to their email account and given the hackers full access.
And at this point, once again, it appears the hackers do absolutely nothing noticeable… at least not at first.
Although we do not have definitive proof of this, based on what we see in the next step, we suspect the hackers are first taking some time to simply look around in people’s email accounts.
One thing they could be looking for are other passwords that have been sent by email (which, for example, could allow them ‘legitimate’ access to yet another website to sneak into as part of perpetuating this scheme). Another thing might be the names of other people and projects, especially key company personnel like CFOs and COOs who have access to even more valuable information. This, in part, allows the hackers to sound more legitimate for the next step in the scheme.
The third step is to spread this hack even further. First the hackers set up mail rules to divert incoming email away from the inbox. It now looks to the owner of the mailbox that there is no incoming email. Second, the hackers send out the same original fake email directly to every contact in the address book of the compromised email account. Because of the mail rules, the owner won’t see any reply emails asking about these emails, hence our suggestion that you call or text to verify. And once again, it bypasses traditional anti-virus because, as far as any computer is concerned, these are all legitimate emails from a known contact.
It’s even more insidious when the compromised email account belongs to a company owner or CEO, and addresses the fake email by name to other C-level executives, possibly through the initial research the hackers do when they first get access to the account.
So what else can we do about it?
Within the IT profession, we half-jokingly say that of the three qualities you want for your technology – security, convenience, low cost – you can only pick two. Convenient low-cost tech won’t be secure. Secure low-cost tech won’t be convenient. Easy-to-use tech that is also secure comes at a cost.
And as this story makes clear, that cost isn’t necessarily in more technology. By all means, you should ensure that you do have the latest anti-virus tools at your disposal. But your security investment should also include training and retraining your staff.
As you look at your overall IT security plan, consider the following:
- Do you have stated IT security policies and procedures? Is it part of new employee orientation and training?
- Do you have regular reminders or refresher training on IT security?
- Do your company policies and corporate culture reward employees for coming forward quickly if they make a mistake and click on a compromised link? Or will the fear of reprisal result in a possible breach becoming even worse?
- When’s the last time you tested your IT security, both for technological and human vulnerabilities?
- Is your IT infrastructure being properly supported on both the technological and human fronts?
As always, we welcome your comments and feedback on this critical topic. What have been your best and worst experiences? What have been the most important lessons you’ve learned? Please feel free to share below…