I have been in the IT industry for more than 30 years, and I’ve operated under some of the strictest regulations in banking, finance, HIPAA, and medical equipment. In addition, I’ve worked with major institutions with extremely high cyber security standards, such as Fortune 10 companies, the Department of Defense, and the Veterans Administration.
As I’ve written in previous articles, people are the weakest link in our cyber defenses. As a result, the best tools for prevention in our security operations can be rendered virtually useless by someone opening a document, clicking a link, or voluntarily entering their security credentials.
I am incredibly diligent about practicing the security measures I teach and use the tools I sell … and I almost got hacked.
This is how it almost happened to me.
Alert 1 – Email Address Spoofing and Content
I own and manage CMIT Solutions of SE Wisconsin, and we provide the full range of IT services for small and mid-sized businesses. These services include simple one-time projects to replace or upgrade equipment as well as more complex services where we partially or entirely manage a customer’s entire IT for them. One of our specialties is cyber security, protecting our clients from cyber attacks and data security breaches.
To set the background, I was working with a Kenosha-based customer prospect to earn their business. We had several meetings and made several revisions to our proposal to develop an IT managed services plan that provided the best support and tools for an affordable price.
We were coming down to the close of the proposal cycle. The prospect had received several proposals from others, including their current technology support provider. I had just met with the prospect a few days prior and was expecting to hear from them about whom they would select.
It was a Monday, and I received the awaited email from my point of contact. The email was well written, and there were no apparent signs of spoofing.
Spoofing is when a hacker alters an email address to look like it’s coming from someone else. Usually, these are easy to spot, and the cyber security tools we have in place also do an excellent job of picking these up and either flagging them or outright rejecting them. For example, you may see the name Mary Smith in the sender’s address, but when you look closely, you see it is not from
MarySmith@hercompany.com. Instead, when you view the sender details, you know the email comes from DifferentPerson@wrongcompany.com.
This email definitely came from the person I was working with.
Alert 2 – Call to Action to a Bad Link
Many email attempts to trick you into doing something, such as releasing sensitive information, are poorly written or do not relate to your situation. For example, you may be told your Paypal account is suspended or receiving a delivery from Amazon, but you don’t use Paypal or haven’t ordered anything from Amazon recently.
This email was tailored to my situation – I was expecting a response to my proposal – and the email referenced the proposal.
The email message invited me to click a link to review the comments on the proposal. Unfortunately, this is a very common tactic. The hacker wants you to click a link or open an attachment so they can download malicious code to your system directly.
As with basic email spoofing, it can be easy to spot when a link doesn’t match its alleged destination. For example, the link text says “Click For Details About My Company,”… but when you look at the link properties, it is actually going to a different URL. Shortened URLs, like bitly and TinyURL, complicate this technique, but it is still a good check.
Some advanced email protection tools will also scan and flag email content that could be malicious or take the reader to a known bad site. These tools will block and/or flag suspected bad email messages to keep the reader from harm.
The call to action link was 100% legit. It went to a good site that only the sender would have access to.
I clicked the link, and here’s where things started to unravel.
Alert 3 – Request to Login
The link took me to the sender’s Microsoft OneDrive. The content of the email said the sender had made changes to the proposal I sent and wanted me to review the document and make changes (this is functionality allowed in OneDrive.)
I noticed the document’s name wasn’t the document I authored. Still, I was not terribly concerned. I justified that maybe the sender was consolidating different proposals and had put mine into some sort of standard or simply renamed it.
When I clicked the document, a request to enter my login credentials for Microsoft appeared. The login request looked good but was off enough to raise my suspicion that this may not be real. So I checked a few things and confirmed that the link had taken me outside the sender’s OneDrive account.
Because of these last few differences from what I was used to, I contacted the prospect and asked if they actually sent the email. It turns out the prospect’s Microsoft account had been hacked.
Someone had taken the time to read through the prospect’s email to review their key contacts, events taking place, and documents. Using this information, they then tried to fish others for their credentials. People think that this may be a lot of work, but to the hacker, it isn’t. They spend a few hours getting to know their victims and associates and then leveraging that data to hack more accounts. It is a very inexpensive way to make a lot of money.
Fortunately, I did not enter my credentials, so there was no harm, but it could have turned out worse. For good measure, I changed my own Microsoft password. I also use password vault locker technology so that all of my accounts have unique and complex passwords. If I had given up my Microsoft password, the exposure would have been limited to my Microsoft office account.
I also have an added layer of cyber protection around my Microsoft office products. These products will block access to my account based on where the person logging in is. They also trigger multi-factor authentication. They monitor core settings in my Microsoft account to prevent and/or detect, then alert me to any suspicious activity with my accounts.
Some of these more sophisticated tools may be too costly for an individual to have on their personal accounts, but these tools are becoming essential to a business. Simple anti-virus and anti-malware software are not enough for their critical infrastructure and computer networks.
If you are interested in learning more about cyber security and how CMIT Solutions of SE WI can help keep your business safe, email me at mhoffmann@cmitsolutions.com or call us at 262-207-4211.
Please follow us on LinkedIn, Facebook, and, of course, on Kenosha.com’s Tech Thursday blog.
