It is 9:30 am and you are getting ready to leave for a flight. All of a sudden, your co-workers or friends start to message you that you are sending weird or suspicious emails. You haven't sent an email all day so this is confusing so you check your email and see the strange emails. Then you stop receiving emails all together.
Sounds terrible right? Well this is a similar scenario to what happens in most email compromises and this specific story is what happened to my mother-in-law as she was traveling yesterday.
Unfortunately this happens more often than you expect and is a typical way that cyber threat actors (CTA) will gain a beach head into the network they have attacked. There are some typical things the CTA will do to increase their chaos, but are easy to find and mitigate. So let us look at their actions and those mitigation efforts.
Threat Actor Actions
Obviously, in the scenario above one of the first things that the CTA has done is send emails that are not in your likeness or with links to suspicious websites. Either way, these emails are all attempting to get your attention and have you respond either by replying to the email or clicking a link. For instance, it could be as simple an email as:
Hello there. I need your help. Can you give me a good contact number?
Or it could be something more forceful such as:
Hello. I am visiting a friend with stage 4 cancer and want to do something nice. Can you send me some money to my PayPal?
One of the main thing to look for in these emails is improper grammar or spelling.
After they have sent those emails, the CTA has to hide from the compromised user that their email has been stolen. To do this, they will create forwarding rules, sometimes called filters, to send emails outside of the original email address. For instance, in the story of my mother-in-law, the CTA created a forwarding rule that was similar to their email address in an effort to hide the rule itself.
[email protected] (Original) > [email protected] (Forwarded CTA email)
The rule can be either something completely fake like "1234asdasd@gmail[.]com" or like in the instance above, it could be an email that matches the beginning of your email to a common location so you assume it is normal.
Overall, the CTA is knows that the actions have to be quick, otherwise they will lose access very quickly. So this is more about shock and awe vs. a long term invasion for the personal email attack.
There are some simple things we can do to mitigate the CTA from continued access as well as prevent them from gaining access again.
- Check and delete unknown rules.
- Change your password
- Log out all other users
- Setup Multifactor Authorization (MFA)
These are not in a specific order, but changing your password should be among the first things that you do.
Change Your Password
Change your password to something that isn't just one character different. So if you had something like "12345678" don't change it to "01234567." Unfortunately this is still a common password action that people make. If you care for a bit of comedy you can read this comic about what is required for a good password. You also can’t use “beef stew” as a password. It’s not stroganoff.
As for how strong your password should be, it is highly recommended that you make a passphrase rather than a password. Years ago I wrote an article about how to make a good password and the rules still apply. The only change I would make is that password managers have come a long way and I would recommend them just even for password complexity creation, but make sure you master password is strong.
As side note for this along with changing your password, if there is an option to sign out everywhere, go ahead and click that button. This is number 3 in the list above, but sometimes you can do this at the same time. So I want to make sure you select that option if available. Some companies have this option, others force a login at all locations by default when the password is changed or when MFA is enabled.
We spoke of email forwarding rule above and this should be the next step after you change the password. This will ensure that even though you have stopped them from directly accessing the email, deleting these rules ensures they do not still get a copy of the email.
In the scenario with my mother-in-law, She was not receiving any emails at all even though we were sending test emails. Finding the rule and deleting it corrected the issue. We also verified whether the rule was legitimate by checking my father-in-laws email account as they are run by the same company and neither of them had created a rule.
After deleting the rule (You can verify what the rule was doing by looking before deleting), you should check the trash and sent mail folders to identify what emails were sent to the CTA. If they received emails from your bank or other institutions, I would recommend you change those passwords as well just to reset the standard. Of course, please don't use the same email.
Setup Multifactor Authentication
Multifactor Authentication, called MFA or 2FA, is the idea that it requires multiple factors or items to login. These factors are one of three things: Something you are, Something you know, something you have. So usernames and passwords both fall into the category of "Something you know" as they are both something that you have to memorize/write down. This is where most compromises will happen because we are human and forget or repeat passwords to make our life easier.
This is where the introduction of other factors come in to play. If you have an smart phone you are probably using facial recognition to log in or maybe a finger print. This is biometric data which is "Something you are."
The other factor is "Something you have" when could mean your cell phone.
Multifactor authentication is the idea that you need more than one of these to login. So you login with your username and password and then are given a code to your cell phone to continue logging in. This is "Something you know" and "Something you have."
Passwords have long been a problem for account compromises which is why companies like Google have started to go passwordless using these factors to find a way to reduce account compromise. That will be something to look forward to.
It is important to have this setup even before your account is compromised to reduce that from occurring.
This is always an unfortunate event that does happen from time to time. However, these simple steps are a quick way for you to regain control of your email address. As this is a primary way that we communicate these days, it is an important tool that we must maintain. Be sure to enable 2FA before your account is compromised to prevent mistakes from happening.
Want to join the conversation about how to level up your cybersecurity knowledge or join others learning the field? Join our discord Mimir Cyber Discord Server.