Phishing attempt and success - can you give me some technical details?
November 30, 2023 5:17 AM Subscribe
A friend fell for a phishing scam, and I am trying to understand the technical details so I can make sure it has all been cleaned up. Details below.
A friend told me they'd received an email from Microsoft saying that there were problems with their email, and here's a link, can you change the password? I don't have the email, so I don't know the wording, but my friend clicked through and "changed" their password.
A few minutes later, people in her address book received email from her. Obviously, the address was spoofed. Here's a copy of mine:
Hi,
Sorry to bother,do you order onAmaz on?
The email ended up in my spam folder, but I guess it didn't for other people because at least two people replied back and received another email with a sob story with an ask for a gift card (reproduced below). At least one person bought one.
Here's the thing: I found the email in my spam folder, and looked at the original version so I could see all the real headers and content.
I expected to see that the from field would be populated with the friend's email address, and the reply-to was some other email, but it was the same correct email address.
I asked the friend to check the forwarding settings in their email to see if that was how the scammer's knew who to answer. They said nothing was set.
Questions:
How did the reply to the first email get to whatever sent the second email?
Is there another header in there that I should be looking at?
Is there another forwarding type setting I should have the friend check?
Again, I can't see what they did on their screen, and as bright and educated as my friend is, they aren't computer savvy.
Bonus question:
In general, since the scammers can access your email account, why don't they also disable accounts or erase email or cause any other type of mischief?
I assume they use a program to pull the contacts (and maybe set a forwarding address filtered on the the weird spelling of Amazon?). Why not use the same program to create havoc?
Here's the sob story email.
Glad! I've been trying to purchase a $100 Amazon E-Gift card by email, but it says they are having issues charging my card. I contacted my bank and they told me it would take a couple of days to get it sorted. I intend to buy it for a Friend of mine who is diagnosed with stage 4 mesothelioma cancer, It's her birthday today. Can you purchase it from your end for me, I am just trying to put a smile on her face in this trying times. I'll send you a check regarding the refund later . Here is her email (betsymiller11@outlook.com) and have it ordered From Me please and the message space, write "Happy birthday Dear Betsy Stay strong'', Let me know once you place the order and send me the confirmation once it’s done.
Thanks.
A friend told me they'd received an email from Microsoft saying that there were problems with their email, and here's a link, can you change the password? I don't have the email, so I don't know the wording, but my friend clicked through and "changed" their password.
A few minutes later, people in her address book received email from her. Obviously, the address was spoofed. Here's a copy of mine:
Hi,
Sorry to bother,do you order onAmaz on?
The email ended up in my spam folder, but I guess it didn't for other people because at least two people replied back and received another email with a sob story with an ask for a gift card (reproduced below). At least one person bought one.
Here's the thing: I found the email in my spam folder, and looked at the original version so I could see all the real headers and content.
I expected to see that the from field would be populated with the friend's email address, and the reply-to was some other email, but it was the same correct email address.
I asked the friend to check the forwarding settings in their email to see if that was how the scammer's knew who to answer. They said nothing was set.
Questions:
How did the reply to the first email get to whatever sent the second email?
Is there another header in there that I should be looking at?
Is there another forwarding type setting I should have the friend check?
Again, I can't see what they did on their screen, and as bright and educated as my friend is, they aren't computer savvy.
Bonus question:
In general, since the scammers can access your email account, why don't they also disable accounts or erase email or cause any other type of mischief?
I assume they use a program to pull the contacts (and maybe set a forwarding address filtered on the the weird spelling of Amazon?). Why not use the same program to create havoc?
Here's the sob story email.
Glad! I've been trying to purchase a $100 Amazon E-Gift card by email, but it says they are having issues charging my card. I contacted my bank and they told me it would take a couple of days to get it sorted. I intend to buy it for a Friend of mine who is diagnosed with stage 4 mesothelioma cancer, It's her birthday today. Can you purchase it from your end for me, I am just trying to put a smile on her face in this trying times. I'll send you a check regarding the refund later . Here is her email (betsymiller11@outlook.com) and have it ordered From Me please and the message space, write "Happy birthday Dear Betsy Stay strong'', Let me know once you place the order and send me the confirmation once it’s done.
Thanks.
OK, so, to your first question:
So, just to recap, I think the basic architecture of this is:
posted by number9dream at 6:22 AM on November 30, 2023 [2 favorites]
How did the reply to the first email get to whatever sent the second email?By "first email", I assume you are meaning the email about changing the password. First, any reply that your friend made to this message would go to whoever sent it. Second, I'm sure any reply would be ignored. The important thing here is that when your friend "changed their password", what they really did was put their password into a site controlled by the attacker, so the attacker now has their password and can log into their account at will. (This is why 2-factor auth is important.)
A few minutes later, people in her address book received email from her. Obviously, the address was spoofed.I don't think this is obvious. Since the scammer can log in to your friend's email directly, it's entirely possible they just sent the email directly from your friend's account. They wouldn't really care about any replies as they're not looking to get into a conversation with anybody. The important address is the one in the "sob story", which is where the gift card would be delivered to.
Bonus question:I don't know much about how all this works, but what's the point of causing havoc, deleting emails, etc? All they're after is money. They don't care about the person they're hacking other than as a means to get money, so it doesn't make sense to waste time messing about with their email account. This kind of scam works with very low probability, so they have to hit a lot of people to be profitable. Pointless vandalism would just take more time and hence lower their profits.
In general, since the scammers can access your email account, why don't they also disable accounts or erase email or cause any other type of mischief?
I assume they use a program to pull the contacts (and maybe set a forwarding address filtered on the the weird spelling of Amazon?). Why not use the same program to create havoc?
So, just to recap, I think the basic architecture of this is:
- Scammer uses the initial email to harvest the password.
- Scammer logs in to email account using stolen password and sends message to entire address book.
- Scammer receives gift cards sent to address in the sob story.
posted by number9dream at 6:22 AM on November 30, 2023 [2 favorites]
IMO, I would assume that any important account (bank account, other emails, Amazon, etc) linked to this email probably HAS been compromised. They will search the email account, reset the passwords of these other accounts, then delete the password reset emails so the user hopefully doesn't see them.
Maybe your friend has lucked out, but she should go through all her accounts, reset passwords, and check for fraudulent activity.
posted by muddgirl at 6:29 AM on November 30, 2023 [4 favorites]
Maybe your friend has lucked out, but she should go through all her accounts, reset passwords, and check for fraudulent activity.
posted by muddgirl at 6:29 AM on November 30, 2023 [4 favorites]
Maybe your friend has lucked out, but she should go through all her accounts, reset passwords, and check for fraudulent activity.
Yes, this is incredibly important, and I can't believe I left this out of my previous answer. If your friend's email account was also the one they use for accessing other services, then the attacker would have been able to reset the passwords to those services as well, so they need to change those passwords too.
posted by number9dream at 7:14 AM on November 30, 2023 [2 favorites]
Yes, this is incredibly important, and I can't believe I left this out of my previous answer. If your friend's email account was also the one they use for accessing other services, then the attacker would have been able to reset the passwords to those services as well, so they need to change those passwords too.
posted by number9dream at 7:14 AM on November 30, 2023 [2 favorites]
Best answer: To summarize (and add a bit):
1) see if MS lets you see where logins to the account have occurred from and log out everyone who's currently logged in (Google lets you do this, I don't know about MS)
2) change email password
3) double check all email login/security/personal information - 2 factor authentication, backup email address/phone number, security questions, name, address, whatever information is connected to the account
4) check forwarding and filter information. Are any emails set up to be forwarded to the phishers' accounts? (Your friend doesn't sound the most tech-savvy so you'll want to double-check this in all the different places it might be set up, for example in filters)
5) this email address is probably the contact information for various accounts - bank, credit card, healthcare, other email accounts, a million little and big things. Assume all of them are compromised - go through them all, reset all login/personal/security information, check for fraud, get a credit report, do a credit freeze, etc.
6) are other MS services connected to this MS login? Assume they're compromised too and think carefully about ways they or any information stored there might be used later
7) have your friend read up on all kinds of different scams - email/computer scams, phone scams (like the one where they call you pretending to be a family member or friend who's stranded or been kidnapped or...), paper mail scams, etc. These guys had access to a lot of information about your friend's personal life, which is often used to make these scams more convincing, and your friend has shown them a certain precedent for gullibility, so they might be a good candidate for trying again.
8) if they haven't already, they need to let their friends and anyone else who may have been contacted that your friend was phished, that the phishers now have everyone's email addresses, and that they should absolutely not accept any requests for money or help that supposedly come from your friend. I'd add a link about these kinds of scams so any less-savvy friends can hopefully read more about them
posted by trig at 8:30 AM on November 30, 2023 [3 favorites]
1) see if MS lets you see where logins to the account have occurred from and log out everyone who's currently logged in (Google lets you do this, I don't know about MS)
2) change email password
3) double check all email login/security/personal information - 2 factor authentication, backup email address/phone number, security questions, name, address, whatever information is connected to the account
4) check forwarding and filter information. Are any emails set up to be forwarded to the phishers' accounts? (Your friend doesn't sound the most tech-savvy so you'll want to double-check this in all the different places it might be set up, for example in filters)
5) this email address is probably the contact information for various accounts - bank, credit card, healthcare, other email accounts, a million little and big things. Assume all of them are compromised - go through them all, reset all login/personal/security information, check for fraud, get a credit report, do a credit freeze, etc.
6) are other MS services connected to this MS login? Assume they're compromised too and think carefully about ways they or any information stored there might be used later
7) have your friend read up on all kinds of different scams - email/computer scams, phone scams (like the one where they call you pretending to be a family member or friend who's stranded or been kidnapped or...), paper mail scams, etc. These guys had access to a lot of information about your friend's personal life, which is often used to make these scams more convincing, and your friend has shown them a certain precedent for gullibility, so they might be a good candidate for trying again.
8) if they haven't already, they need to let their friends and anyone else who may have been contacted that your friend was phished, that the phishers now have everyone's email addresses, and that they should absolutely not accept any requests for money or help that supposedly come from your friend. I'd add a link about these kinds of scams so any less-savvy friends can hopefully read more about them
posted by trig at 8:30 AM on November 30, 2023 [3 favorites]
Response by poster: I should have been clearer.
The mail did not come from their actual email . The headers in the "Do you order" email contain ip addresses that the spam filters detected as not being valid smtp servers. Here is a sample of what now shows up in the header. I've crossed out the real email address:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@yahoo.com header.s=s2048 header.b=afEG79gY;
spf=softfail (google.com: domain of transitioning XXXXX@msn.com does not designate 74.6.130.41 as permitted sender) smtp.mailfrom=XXXXX@msn.com;
So, the blast of what I called the first email (sorry, again, I wasn't clear) didn't come from their email account.
Interesting point about using that email to reset passwords for other accounts and msn services. I'll double-check to make sure they've taken care of those accounts.
I've marked trig's answer as best since is contains a summary of what everyone else said. Thank you all for taking the time to answer.
posted by AMyNameIs at 10:18 AM on November 30, 2023
The mail did not come from their actual email . The headers in the "Do you order" email contain ip addresses that the spam filters detected as not being valid smtp servers. Here is a sample of what now shows up in the header. I've crossed out the real email address:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@yahoo.com header.s=s2048 header.b=afEG79gY;
spf=softfail (google.com: domain of transitioning XXXXX@msn.com does not designate 74.6.130.41 as permitted sender) smtp.mailfrom=XXXXX@msn.com;
So, the blast of what I called the first email (sorry, again, I wasn't clear) didn't come from their email account.
Interesting point about using that email to reset passwords for other accounts and msn services. I'll double-check to make sure they've taken care of those accounts.
I've marked trig's answer as best since is contains a summary of what everyone else said. Thank you all for taking the time to answer.
posted by AMyNameIs at 10:18 AM on November 30, 2023
When this happens to people within my orbit, my consistent advice has been that they need to do three things:
1. Log on to their email account provider's webmail service, use whatever facility it has for logging out all other sessions, then change their email password as a matter of extreme urgency.
2. Install KeePassXC (or the OG KeePass if you prefer it - try both), create a password database file, and commit to making that database file the beating heart of their digital life and keeping it safe, accessible and backed up.
3. Work through all their online accounts starting with their primary email account, entering their online account details into their password database file (critically, including the URL of each site's login page so that sites can be opened from inside the password manager as a matter of routine, which makes spoofing way harder) and changing each password to a long, random one generated by KeePassXC.
Only about one in five have actually taken that advice, and not one of them has been scammed or "hacked" since. Several of the four in five have, including one who lost a lot of stuff to a ransomware attack.
KeePassXC and similar password managers that rely on a single password database file kept locally on the user's own computer are a bit of a pain in the arse to get started with. There's definitely a learning curve, though the difficulties both conceptual and practical rise nowhere near those of learning to use e.g. spreadsheet software.
The most annoying thing, at least initially, is the slight speed bump that needing to interact explicitly with the password manager introduces into every login process. But that exact speed bump is where a lot of the safety benefits actually are. Logging into an online service should require at least a tiny bit of thought and attention because that's how you prime yourself to notice those little differences that let you know you're in a scammer's crosshairs.
Having gritted my own teeth and pushed that rock up that hill many years ago, I now frolic in the sunlit uplands completely free of anxiety about (a) forgetting how to log onto stuff I've not needed to touch for a few years but suddenly need urgently (b) having my online security undermined by data breaches or scams (c) giving some corporate "cloud" security "service" a chokehold on my ability to log into things without paying them a fee.
It's nice up here. Join us!
posted by flabdablet at 1:02 PM on November 30, 2023 [1 favorite]
1. Log on to their email account provider's webmail service, use whatever facility it has for logging out all other sessions, then change their email password as a matter of extreme urgency.
2. Install KeePassXC (or the OG KeePass if you prefer it - try both), create a password database file, and commit to making that database file the beating heart of their digital life and keeping it safe, accessible and backed up.
3. Work through all their online accounts starting with their primary email account, entering their online account details into their password database file (critically, including the URL of each site's login page so that sites can be opened from inside the password manager as a matter of routine, which makes spoofing way harder) and changing each password to a long, random one generated by KeePassXC.
Only about one in five have actually taken that advice, and not one of them has been scammed or "hacked" since. Several of the four in five have, including one who lost a lot of stuff to a ransomware attack.
KeePassXC and similar password managers that rely on a single password database file kept locally on the user's own computer are a bit of a pain in the arse to get started with. There's definitely a learning curve, though the difficulties both conceptual and practical rise nowhere near those of learning to use e.g. spreadsheet software.
The most annoying thing, at least initially, is the slight speed bump that needing to interact explicitly with the password manager introduces into every login process. But that exact speed bump is where a lot of the safety benefits actually are. Logging into an online service should require at least a tiny bit of thought and attention because that's how you prime yourself to notice those little differences that let you know you're in a scammer's crosshairs.
Having gritted my own teeth and pushed that rock up that hill many years ago, I now frolic in the sunlit uplands completely free of anxiety about (a) forgetting how to log onto stuff I've not needed to touch for a few years but suddenly need urgently (b) having my online security undermined by data breaches or scams (c) giving some corporate "cloud" security "service" a chokehold on my ability to log into things without paying them a fee.
It's nice up here. Join us!
posted by flabdablet at 1:02 PM on November 30, 2023 [1 favorite]
Best answer: The mail did not come from their actual email ... the blast of what I called the first email (sorry, again, I wasn't clear) didn't come from their email account.
No, it would have come from some nefarious bulk spam generator. Point is, though, that the scammer now has your friend's email login credentials, which means that the same organization can tip those into the same automated scamming pipeline of which the bulk spam generator is a part, and automatically scan for replies to their bulk spam via automated logins to all their victims' email services.
This stuff is all heavily automated in 2023. In fact the organization sending out the sob story might not even be the same one that ran the original phishing. There's enough money to be made in selling stolen credentials to make running a specialist phishing outfit a viable business model.
There's no percentage for the sob-story scammers in programming their reply-scanning bot to make visible changes to a victim's email service. From the scammer's point of view, the more time their bot has to do stuff like downloading emails in order to scan for further credentials and working contacts, the better; making visibly weird shit happen from the account holder's point of view would only ever cut, not extend, that time.
posted by flabdablet at 1:20 PM on November 30, 2023 [1 favorite]
No, it would have come from some nefarious bulk spam generator. Point is, though, that the scammer now has your friend's email login credentials, which means that the same organization can tip those into the same automated scamming pipeline of which the bulk spam generator is a part, and automatically scan for replies to their bulk spam via automated logins to all their victims' email services.
This stuff is all heavily automated in 2023. In fact the organization sending out the sob story might not even be the same one that ran the original phishing. There's enough money to be made in selling stolen credentials to make running a specialist phishing outfit a viable business model.
There's no percentage for the sob-story scammers in programming their reply-scanning bot to make visible changes to a victim's email service. From the scammer's point of view, the more time their bot has to do stuff like downloading emails in order to scan for further credentials and working contacts, the better; making visibly weird shit happen from the account holder's point of view would only ever cut, not extend, that time.
posted by flabdablet at 1:20 PM on November 30, 2023 [1 favorite]
Response by poster: Thanks for the additional explanation. I didn’t think of automatically logging in to check for replies or other credential related email. As soon as the password was truly changed, the scanning would have stopped - but not before a couple of people had replied and at least one person sent money.
posted by AMyNameIs at 6:33 PM on November 30, 2023
posted by AMyNameIs at 6:33 PM on November 30, 2023
Just to emphasise something @flabdablet said: "KeePassXC and similar password managers that rely on a single password database file kept locally on the user's own computer ...": I'm nowhere near his/her/their technical competence, but I think keeping the password file on your own computer is non-negotiable. Keeping the file online anywhere might be convenient but doing has already introduced a security hole.
Disclosure: I use KeepassXC.
posted by Logophiliac at 6:43 PM on November 30, 2023
Disclosure: I use KeepassXC.
posted by Logophiliac at 6:43 PM on November 30, 2023
I think keeping the password file on your own computer is non-negotiable.
Strongly agree. Also keeping it in an ordinary file, one that you can copy and paste with an ordinary file browser, keep in a folder of your own choice, and include in your regular backup schedule. This strikes me as a much sounder proposition than e.g. relying on a database in some poorly documented and probably unstable format tucked away somewhere inscrutable inside a browser's hidden profile folder.
Keeping the file online anywhere might be convenient but doing has already introduced a security hole.
I have no objection to keeping copies of my passwords file online, and do exactly that using Dropbox to make it easy to keep all my local copies in sync. What I'm mainly concerned about is guaranteeing ongoing access to the authoritative version, and that requires keeping it locally as an ordinary file whose properties I understand.
I am not the slightest bit concerned about the existence of online backups making it possible for somebody else to download a copy of my passwords file, because I have good reason to be confident that the encryption protecting its contents was correctly implemented. The applications that I use to manipulate it rely on widely used, well-tested implementations of standard encryption primitives, and their source code being open to all makes it easy to verify that these are being used appropriately.
The reason I refuse to use a cloud-centric password manager is because I would much rather rely on myself to maintain reliable ongoing access to all of my stored credentials than some corporation to whom I am at best a customer and at worst mere livestock.
Yes, this does require learning what a file is, and learning a little bit about how files are stored and where, and gaining at least some familiarity with making backups and using file browsers. But I don't believe that it's actually possible to use a computer securely and productively without showing some minimal willingness to engage with the machine on its own terms.
Expecting any computer to do everything you might wish it to without having to pay any attention at all to how that actually happens strikes me as a fundamentally exploitable attitude that no amount of password management or 2FA could ever possibly secure.
posted by flabdablet at 10:45 PM on November 30, 2023
Strongly agree. Also keeping it in an ordinary file, one that you can copy and paste with an ordinary file browser, keep in a folder of your own choice, and include in your regular backup schedule. This strikes me as a much sounder proposition than e.g. relying on a database in some poorly documented and probably unstable format tucked away somewhere inscrutable inside a browser's hidden profile folder.
Keeping the file online anywhere might be convenient but doing has already introduced a security hole.
I have no objection to keeping copies of my passwords file online, and do exactly that using Dropbox to make it easy to keep all my local copies in sync. What I'm mainly concerned about is guaranteeing ongoing access to the authoritative version, and that requires keeping it locally as an ordinary file whose properties I understand.
I am not the slightest bit concerned about the existence of online backups making it possible for somebody else to download a copy of my passwords file, because I have good reason to be confident that the encryption protecting its contents was correctly implemented. The applications that I use to manipulate it rely on widely used, well-tested implementations of standard encryption primitives, and their source code being open to all makes it easy to verify that these are being used appropriately.
The reason I refuse to use a cloud-centric password manager is because I would much rather rely on myself to maintain reliable ongoing access to all of my stored credentials than some corporation to whom I am at best a customer and at worst mere livestock.
Yes, this does require learning what a file is, and learning a little bit about how files are stored and where, and gaining at least some familiarity with making backups and using file browsers. But I don't believe that it's actually possible to use a computer securely and productively without showing some minimal willingness to engage with the machine on its own terms.
Expecting any computer to do everything you might wish it to without having to pay any attention at all to how that actually happens strikes me as a fundamentally exploitable attitude that no amount of password management or 2FA could ever possibly secure.
posted by flabdablet at 10:45 PM on November 30, 2023
« Older Looking for Kirkland Signature Ladies Travel Pant... | How well do you know your place? Newer »
You are not logged in, either login or create an account to post comments
* Your friend clicked the link to the attackers' website.
* On it was a a "change your password" form -- these typically ask you to enter your existing password, then your new one. Ka-bam! The instant she submitted that form, the attackers had her email username and password.
* Attackers logged in to her email with the password she gave them.
* Attackers spammed the "sorry to bother" email to all her contacts from her email. That's why it looked like a legit email based on the headers -- it was!
* Attackers continue to abuse her email to respond to anyone who answers the "sorry to bother" email.
What your friend needs to do:
* ACTUALLY change her email password. This should kick the attackers out, at least temporarily.
* Set up multi-factor authentication for her email, to keep them out.
posted by humbug at 6:14 AM on November 30, 2023 [1 favorite]