From: Some Friend <firstname.lastname@example.org>
Date: Tue, Dec 25, 2012 at 12:23 AM
Hi, I tried an it was wonderful. I hope have fun with more like me.
Within a few days, you'll usually see another email from this same person to a massive distribution list saying something like,
"oh no, my email account has been hacked. If you received this I'm so sorry but it wasn't me!"
Or worse yet, ever been the one who receives an email from a friend that says,
"Um, I think your email account has been hacked. I just received a really odd message from you with some link to a foreign website."
Whether you are the recipient of these fake emails or the sender, there are things to be done ASAP to ensure you don't become or haven't already become a victim.
What really happened?
We like to toss around the word hacked because it sounds cool. In reality, very few of these phishing emails actually come from a hacked email account. If the source is a friend of yours, then it's likely their computer has been compromised with malware or their email account is being accessed by someone else who guessed the username/password or stole the credentials through malware on their computer or through an online account that uses the same password. Most likely, they have some email address stealing malware on one of their computers which has accessed their address book and is generating phishing emails to everyone in the list. If the email came from you, then re-read the above replacing "they" with "you." Typically these emails don't actually come from the computer of your friend, nor from the actual email account. They are generally spoofed to look like they came from your friend, but if you look at the technical information (email headers), you'll see they were probably sourced from someone and somewhere else using your friend's name. That's why when you look at your sent items, you don't see the fraudulent emails. The action of hacking is typically an active effort where someone intentionally targets you and infiltrates your computer through an active process. Most compromises today are passive and non-targeted (among the general public). I don't consider these to be "hacks." The word compromised is a more accurate representation of what has actually happened. Either a computer has been compromised, or an email account.
What should you do?
If you received an email like this from someone you don't know, delete it right away and run a full AntiVirus scan on your computer. Never click the link or open any attachments. If you didn't click, then you're probably safe, but run that scan just to be sure.
If you received an email like this from someone you do know, run the AV scan right away, don't click the link, don't open any attachments, don't forward the email, but do send a new email to the originator (your friend) letting them know about it. Delete the original as soon as possible. Don't worry, most likely there isn't someone else sitting on the other end reading your response, and even if there is, you aren't leaking anything or opening any new doors; they already have your email address.
If you were the sender (or if the email appears to have come from you), you've got some work to do. Don't panic and don't be embarrassed...this happens all the time.
1. Immediately change the password on all your online accounts that use that same password. It's a good rule of thumb to make sure you don't repeat passwords between different online accounts, but if you do, make sure you don't blend communications and social media account passwords with sensitive stuff like bank accounts. Don't use the same password for email/Facebook as you do for your bank/investments/medical provider etc. If you did use that same password on other accounts (especially bank accounts), login with your new password and scrutinize all recent activity and keep a close eye on transactions for a while. Report anything fraudulent to your bank. Many people minimally have the following online accounts (just to refresh your memory) which may be tied to your email account somehow:
- Email (multiple accounts probably with your ISP plus some webmail)
- ISP/Cable provider
- Cell phone provider
- Financial institutions (bank, credit cards, retirement, investments, brokers)
- Mortgage company
- Utilities (gas & electric, water, sewer, waste management)
- Social Media (Facebook, Twitter, LinkedIN, Instagram)
- Clubs or memberships
- Online retailers (Amazon, Apple, etc.)
2. Update your AV and run a full system scan ASAP. Clean up anything the AV engine finds, reboot, and re-run the full scan. If the problem persists beyond AV's ability to clean or comes back immediately after a reboot, then you likely have some form of bootkit or rootkit which will require a new hard drive and a re-install of all your software. Time to call in professionals or friends who are professionals during the day.
3. Contact your email provider and let them know your email account has been used fraudlently. If possible, forward the fraudulent email to them. They usually have some sort of abuse reporting capability and often run investigations to determine if anyone else may have been victimized. More sophisticated email providers actually profile these fraudulent emails to attempt to attribute them to an actor or group and to provide future defenses for their users. Check your email provider's website for contact information. When you do notify them, provide them your new contact information (email address) and let them know you will be taking the next step so they don't try to contact you on that same account.
4. Disable or delete your email account and create a new one with a different password. Notify all your friends and family to ignore any future emails from that old account. I know this is a pain, but once your account has been used, you can bet it will continue to be used unless you delete it. You are putting yourself and your friends at risk if you don't delete the account.
5. If you are super curious and want to know what the file attached to the emails or the link in the spoofed emails would do if you did click on them, contact me and I'll run it through my lab. You can also submit it (copy/paste - don't click!!) to VirusTotal.com and they will give you a threat score.
Most likely, you have been used as an object of opportunity and you aren't going to continue to be targeted. If your adversary did access one of your online accounts through your legitimate credentials, then they may try again, but most likely they have a long list of more victims to use and they will be on their way. Again, don't panic and don't worry.