I've been scammed!
June 8, 2022 2:07 PM   Subscribe

I got an email that seemed to be from my accountant, saying my tax return docs were complete, clicked on the attachment, and then realized something fishy was going on.

I'd been in a long email chain with my accountant and my wife (at her office), in which my accountant had been asking us questions regarding our taxes. (We filed late--with a granted extension.)

Then I got an email that was just another part of that chain. It said "Good day, Prepared contract documents you can find in the attachments. File password R7432"

I had no reason to suspect this was fake, as it was part of the email chain, so I clicked on the zipped attachment, typed in R7432, and it opened to reveal just an html file (which just had the text "Download complete" in it) and another zip file.

I opened that zip file, and it contained a file called Submitted-documents-06-33267.img, which triggered my spider sense a little (an image?) but I stupidly I clicked anyway. It seemed to open--it did the Mac "file-opening" animation but nothing noticeable happened.

And then the full magnitude of it hit me. I hadn't stopped to consider it, but though the email was part of the chain, it wasn't from my accountant, it was "from" my wife. Why would she be sending me a contract document?

When I looked at the actual email address, it wasn't really from her, it was from e.fnihtayaa@lun.senzen.com (and she confirmed she never sent it).

So my concerns are:

1. What should I do about whatever it is I might have triggered? I'm on my work Macbook Pro (M1).

2. How did the hacker intercept the email chain and insert himself into it? It strikes me that he must have infiltrated my email server, my wife's, or my accountant's. I doubt it was mine, because it's hey.com (though of course it's possible). I have contacted my wife and my accountant. My wife works for a law firm, so a hacker on their system is ... not good. Same with a hacker on an accountant's system.

I'm about to contact my company, too, since I'm on one of their computers, connected to their servers.

What should my next step be?
posted by grumblebee to Computers & Internet (19 answers total) 5 users marked this as a favorite
When you say it was in the chain, was it a reply to another email? did it share the subject line of the email conversation?
posted by chesty_a_arthur at 2:10 PM on June 8, 2022

Response by poster: Yes. The email chain was started by my accountant last week. The subject was 2021 Tax Preparation. I responded and then added my wife to the chain. She, I, and my accountant have been using that same chain for a week.

When I scroll down below the recent message (from the hacker), I can see our whole chain.

The most recent message in the chain--the one with the attachment--is "from" my wife. But not really.
posted by grumblebee at 2:18 PM on June 8, 2022

Right click on the attached image, get properties, to see what it really is. Mac are subject to many fewer exploits than windows computers.
posted by theora55 at 2:19 PM on June 8, 2022 [1 favorite]

...And M1s fewer still. It could be a disguised executable, but it's possible (though by no means guaranteed) that you're in too much of a minority for them to have coded for you. Also Mac security has been turned up to 11, so it is a lot harder for any program (malicious or otherwise) to go reading or writing files on your disk without generating an OS security popup.

You should probably also:

- take your Mac off the network until you establish what it is that just happened
- conduct a decent scan for trojans and viruses (I have no software recommendations, sorry)
posted by How much is that froggie in the window at 2:25 PM on June 8, 2022 [1 favorite]

Response by poster: Kind: Disk image (yikes)
2,097,152 bytes (2.1 MB on disk)
Opens with: DiskImageMounter
posted by grumblebee at 2:25 PM on June 8, 2022

Response by poster: Yeah, I figured being on a Mac--and an M1 at that--was a good thing.
posted by grumblebee at 2:26 PM on June 8, 2022

Response by poster: I just went into Disk Utility, saw an Untitled Volume, and ejected it.
posted by grumblebee at 2:27 PM on June 8, 2022 [1 favorite]

Response by poster: I just opened the html doc in vs code. It's got a ton of content in it.

var text = 'UEsDBBQAAAAIAOqCyFSKapYGuGgHAAAAIAAhABwAU3VibWl0dGVkLWRvY3VtZW50cy0wNi0yMjExNjcuaW1nVVQJAAP3zKBiL/agYnV4CwABBAAAAAAEAAAAAOzdC3wU1 ...." + thousands of more lines like that. And then a function at the bottom: function b64toBlob ... And then some code that runs the function. Looks like it creates the form.zip file that had the disk image in it.
posted by grumblebee at 2:31 PM on June 8, 2022

You say your wife at her office. Is your wife using her office email? Like her @workemail.com email address? Her office system may be compromised, my company gets hit with literally dozens of phishing emails every day. Your accountant too, I guess.
posted by phunniemee at 3:15 PM on June 8, 2022 [1 favorite]

Best answer: Definitely don't assume because you're on a Mac that your computer isn't compromised and sending out everything to some nefarious place that sells that info. You very well may be.

If it was me, and I didn't know a lot about how to suss out this stuff, I would start totally fresh with the OS. As in, wipe it. Or at the least, find someone who does know about it. Until then, don't sign into ANYTHING that matters, esp. banking stuff.
posted by nosila at 3:39 PM on June 8, 2022 [4 favorites]

I had something happen with a business client, and it turns out the hacker had hacked their gmail account, and set it to forward a copy of all emails to the hacker. The hacker had this set up for quite some time and bided their time, waiting for an email chain that was about money, and then jumped in.

In this case it wasn't with a virus/malware payload, but with one of those "quick, buy me some gift cards and scan them in" kind of scams.

I doubt your M1 is infected, but I'd wager that one of the email accounts involved has been compromised.
posted by soylent00FF00 at 4:45 PM on June 8, 2022 [3 favorites]

Sorry to say, I don't know much about Macs, but my first concern would be to inform the accountants. Could be they've been hacked or their records exposed, and that lots of other peoples' accounts are at risk.

If you haven't done so already, I'd tell them, and get them to run a thorough check on their machines and networks.
posted by Dub at 6:46 PM on June 8, 2022 [1 favorite]

Best answer: You could try uploading the .img file (or any of the files really) to VirusTotal -- it will compare it to known malware and maybe give you some clues about what you're dealing with here.
posted by panic at 9:43 PM on June 8, 2022 [1 favorite]

Best answer: You can follow the advice given on BleepingComputers forum, but chances are you're on a Mac and you'll be fine.

Sounds like this variant of malware or variations thereof:
The malicious spam comes in the form of a fake invoice email which states that the recipient can access the billing by opening an ISO image attachment. This is notable because invoices are usually sent as Word documents or Excel files. Thus, the use of an ISO image as an invoice is highly unusual. Adding to the suspicious nature of the attachment is the file size. Samples were roughly 1MB to 2MB — again uncommon given that typical ISO images tend to have larger file sizes.
posted by kschang at 10:01 PM on June 8, 2022

Best answer: Four months ago I made an AskMe that might be relevant. AFAICT, a scammer had simply logged in to a relative's email account (I'm guessing this was a consequence of weak or reused passwords) and sent emails to everyone in the email account's address book. When helping the relative clean up the mess, I could see the scam emails in her "Sent" box.

If you, your wife, or the accountant can see the phishing email in the "Sent" box, then that ought to be a pretty good sign that the "interception" of the email was similarly low-tech. Of course, the very first thing to do is change passwords, and 2FA should be set up if possible.

My final post in that thread might indicate some mischief that the hacker might have done in your case similarly to mine, like configuring the email account to do auto-filtering and auto-forwarding.
posted by polecat at 11:43 PM on June 8, 2022

As for whether your Mac has been infected, it sounds like maybe not? Supposing there was some kind of auto-run executable in the disk image. If this were Windows with UAC wisely not-disabled, then Windows would have popped up a message that said "this file has been blocked because it came from another computer". I'm supposing a Mac does at least as good a job at detecting this, but maybe someone who actually knows something about Macs can clarify.
posted by polecat at 11:50 PM on June 8, 2022

Best answer: The very first thing to do is scan your device with a good virus scanner.

If you need a virus scanner then Malwarebytes is one of the very best, and you only need the free version.

Download it, scan your entire device, follow the recommendations if it finds anything.

(If you're unsure about clicking a link and downloading software just because someone on the internet told you to then good! Do your own search for recommended antivirus, and you'll find most reputable people/websites will suggest Malwarebytes.. That link is to the Mac version; there is a Windows version, for anyone else who needs it, along with versions for Chromebook, Android, and iOS. But whichever AV you choose, scan your machine ASAP.)

After you've scanned your device, change the passwords on all of your accounts, starting with your primary email. If you can turn on 2FA, especially on your email, do this as well as it will dramatically reduce the risk of anyone accessing your accounts.
posted by underclocked at 11:57 PM on June 8, 2022 [2 favorites]

Response by poster: Thanks panic, I didn't know about that site. Looks like it's a known attack--and something to do with Windows. Which is good.
posted by grumblebee at 8:15 AM on June 9, 2022

It might also be a good idea to contact your accountant to make sure they're using similar techniques to limit hacking/fraud at their end.
posted by urbanwhaleshark at 1:36 PM on June 15, 2022

« Older Making organizational systems work   |   hamburger hamburger hamburger Newer »
This thread is closed to new comments.