It was around 8:30 on a Monday morning when the text came in. “I need some help, I think I’m being hacked.”
As a digital coach, I receive several hacking messages like this every year. Most of the time, the “hack” turns out to be nothing. Spyware, popup windows, and messages that seem strange are often innocuous. 90% of the time a quick malware scan, spam quarantine, or password change does the trick.
This Monday turned out to be different. The hacking attempt had succeeded.
The initial visit
My client is a senior citizen who is very “up” on technology. She uses pretty good password hygiene. I consider her one of my more cautious clients.
However, by the time I arrived at her house at 10:30 am, she no longer had control of her…
- Microsoft’s account, including admin access to her PC, and all the files backed up to the One Drive
- ISP (Cox) e-mail address (her primary e-mail)
- ISP (Cox) account
- Amazon account (including her Blink cameras, Ring doorbells, and Echo devices)
- Walmart account
In addition, suspicious charges showed up on one her of credit cards, and additional password change requests were coming in. The first malicious requests started coming in at 5:30 and her e-mails stopped coming in shortly thereafter. The bad actor had a 4-hour head start.
I started by talking through what happened – what she’d been doing on the computer and other details. We reviewed the sequence of messages closely. It quickly became clear that my client hadn’t done anything to start the hack. In fact, she was doing almost everything right!
My suspicion was a data breach contained one of her passwords. One account was breached, followed by lateral movement across her accounts. Although my client was using multiple passwords on accounts, there was some password re-use and two-factor authentication wasn’t active in some places.
How did we secure it?
The first thing to get control of was the local machine. I checked over the machine to find out that the client’s Microsoft account now had an email address from a Russian e-mail server. That meant a Microsoft breach. The next step was to check the client’s primary e-mail (Cox/ISP), and we found we were locked out of that as well.
I created a local account with Administrator rights on the machine and switched into that in order to ensure control over the computer. After a cursory malware check using 2 different scanners, the machine appeared to be clean from most low-level malware.
We moved on to e-mail. Restoring our access required calling the ISP and verifying our identity with our landline. Getting control of the primary e-mail was our first win (or so we thought – read on). We immediately changed passwords and set up two-factor authentication with her ISP. We were able to change passwords and secure her Walmart account in short order.
After quick wins from Cox and Walmart, we started running into snags…
The Microsoft Account Problem
I moved on to the Microsoft account. We were able to log in to the Microsoft account on the web and see the user information. We were able to change the password but ran into a problem taking full control over the account.
The malicious actor had changed all the personal information at Microsoft. We were able to change the recovery phone number, but due to Microsoft rules, personal information can only be changed every 30 days.
We had three options. We could wait out the 30 days and try to change the e-mail on the account back to our e-mail address. Or, we could try to prove the hack through Microsoft customer support. Finally, we could cut our losses and consider the account hacked. Although we had the password under control, nothing was preventing the bad actor from changing it back.
We decided to create a brand-new Microsoft account as the quickest way to fully gain control of her machine. I created a new Microsoft account for her. Unfortunately, she had to purchase her Microsoft Office 365 subscription again.
Before logging out of the compromised account, I made sure all of her One Drive files were available locally. We then disconnected the One Drive and deleted the One Drive files from the hacked account via the web.
I disconnected the hacked Microsoft account. Then I connected her clean, new Microsoft account as an Administrator.
After another malware and virus scan, it appeared we had control of the PC.
Note that if we wanted to be more cautious, we could have wiped the entire computer and started again at this point. I decided this was likely overkill based on the factors of the case.
What the hackers did at Amazon
Amazon proved to be a trickier situation. The malicious party had taken control of the account, changed the password, and activated their own two-factor authentication. This time, the two-factor authentication proved to work against us. Even though we had control of the e-mail to change the password, we didn’t have the secondary code.
We called Amazon login support, verified ourselves, and were told to expect an e-mail…none came.
Two days later, and with no Amazon e-mail, we called again. We were informed that Amazon had removed the extra authentication, e-mailed us to tell us that. They could see that we’d changed the password and re-enabled two-factor authentication…
What?!!! Sorry, it wasn’t us…
Incidentally, in the meantime, the hacker in the Amazon account had been busy. They’d ordered a few items off the “recently purchased” list, promptly returned them, and converted the returns into gift cards. My client received an ottoman she already had two of. By now, she sure needed to put her feet up!
The big miss
The hacker had been clever. Something was preventing us from getting Amazon e-mails, but what? Time to check the e-mail settings directly from the ISP (Cox’s) website.
(When debugging issues like this, always go straight to the server via the webpage. This takes settings in your e-mail client program out of the equation.)
I remembered the customer service representative telling me to check forwarding settings on the account when we regained control over it. Sometimes, a bad actor will hack an account and forward copies of e-mails to other accounts. However, this setting was cleaned.
Then I remembered the filter rules. Rules, sometimes called filters, sometimes filter rules, are used to help sort and file your e-mails. Here’s an example: I can set up a rule to file everything from my electric company into the “utilities” folder.
I checked the rules, and there it was – one rule, ironically named “$”. This rule took every e-mail containing “amazon” in the “from” field and sent it off to another e-mail address without it hitting the inbox. Clever.
Problem solved, or so we thought.
We give up
The e-mail was under control. We were now getting notifications from Amazon. We called login support again and were told to wait another 2 days. In the meantime, we were able to change the Amazon password to something complex, but we still couldn’t log in.
After 2 days, we called Amazon again and were told to repeat the same process. By now, we’d provided documentation (redacted IDs) to Amazon and verified our ID by phone several times. We were still receiving e-mails regarding the hacked account.
We repeated the process 5 times. We never could get Amazon to remove the two-factor authentication from the hacked account. Or, if they were, a bad actor was verifying against us.
As the client had already shut down any payment forms associated with the account, we decided to cut our losses. This meant re-subscribing to Amazon Prime and Amazon Music. The alternative? Not having control of her Amazon account, Echo devices, Blink security cameras, and Ring doorbells!
This had been going on for nearly two weeks. We cut our losses. I created a new Amazon account for her. I then re-subscribed to Prime and Amazon Music. We re-connected her apps and accounts, and re-setup two-factor authentication. Now, it was time to take control of the smart home.
Note – we may have pursued the Amazon account recovery further if my client had a large digital library (eBooks, Audible, movies). She was happy to pay for Prime and Amazon Music again to resolve the problem.
Getting the smart home back
Since Amazon owns the Echo, Blink, and Ring ecosystems, you need an Amazon account for all of their features to work. Obviously, we don’t want to run those devices on a hacked account.
Starting with Blink, I put the Sync module into setup mode. We still had access to the Blink app on the phone and were able to re-add the sync module. We then re-associated Blink with the new Amazon account and had the cameras back.
The Ring was a similar process. We opened up the Ring app and re-associated it with the proper Amazon account.
We got lucky and saved some work. The hacker hadn’t compromised the client’s Ring and Blink password. That would have required a factory reset on the Ring cameras and Blink sync module.
Next came Alexa. I set up the Alexa app on the client’s phone with the new Amazon information. I reset all the Echo devices to factory default and re-added them into the Alexa app.
Last was to re-enable all the smart home Alexa skills to control Kasa smart plugs and her Nest Thermostat.
Taking it further
The ecosystem was under control and the compromised accounts had been secured or abandoned.
Once we had control of the e-mail and compromised accounts, it was time to change passwords that were similar to the compromised ones. I was quite certain the e-mail account was breached first, but it’s better to be safe than sorry.
Complex unique passwords for all
We decided to generate complex, unique passwords for every place the client logs on. Luckily, the client already had an active subscription to the password manager LastPass and was familiar with using it.
LastPass and other password managers can generate complex passwords and save them, so you never have to remember the password.
We started by printing out a list of all accounts and passwords in her password database. Then, we moved one-by-one down the list of sites.
Changing the passwords
On each site, we:
- Logged in
- Navigated to account/security information
- Changed the password to a complex, LastPass generated password
- Saved the new password in LastPass
- Verified other security settings such as two-factor
- Logged out and logged in again to test
We enabled two-factor authentication wherever possible. For security, we used an authenticator app when we could. If that option wasn’t available, we used a text message. We only used an e-mail backup as a last resort.
At the end of the process, we generated and printed a new password list from LastPass as a hard copy backup.
Fake credit cards? Yes, in this case…
For e-commerce sites, we took an additional security step. We leveraged Privacy.com to generate unique credit cards for each site. Privacy.com, and services like this, protect real credit card numbers from data theft. “Fake” credit cards can be generated for each website, and limits can be set. One-time, disposable cards can even be created.
I hooked up privacy.com to her checking account. We set up the default payment methods for Microsoft, Amazon, and a few other sites to use Privacy.com cards.
How did the hacking start?
The first thing to do when analyzing any security incident is to look at the “TTP’s”, or tactics, techniques, and procedures. On a broad basis, most hacks occur due to a data breach, a hardware/software bug, or a target hack.
My client was brutally honest with what she’d been doing on the computer and what went wrong. She was also quick to call for assistance, which is vitally important even if you only need a “second set of eyes” on something.
We checked hacking lists such as haveibeenpwnd.com to see if her e-mail address had been sold. Indeed, it had. My client had a unique e-mail password, but hadn’t changed it recently and didn’t have two-factor authentication enabled on her e-mail.
The computer appeared to be clean from high-level malware, so this was the likely culprit.
Two things would have prevented the hack – changing the password to the e-mail account after the data breach and having two-factor authentication enabled.
My best bet is my client wasn’t individually targeted. This was a lateral account movement style attack, starting with her primary e-mail address. Once the malicious actor gained access to the e-mail, they moved to reset passwords on high-value e-commerce accounts. Once they gained access to Amazon, they focused on that – locking up the two-factor authentication. They also set up the mail rule in Cox to attempt to gain persistent access to Amazon after the e-mail account was recovered. The Amazon gift card game could begin.
Did they win? Yes and no. It could have been worse. My client was forced to create new Amazon and Microsoft accounts, re-subscribe to services, and pay me to help secure her systems. She also was under a great deal of stress for several weeks and must learn new procedures for accessing her accounts.
How could it have been worse
In a sense, my client got off easy. The TTP’s pointed to a scripted Amazon/e-commerce scam originating out of the east. If this had been a targeted attack, the damage could have been worse even with quick intervention.
There are automated tools available on the dark web that make “credential stuffing” and password changes a one-click operation. It probably took the bad actor a few clicks to cause days of headache.
If the bad actor had specifically targeted my client, they could have:
- Dumped all the contents from the OneDrive – All of her computer folders are backed up / synced to OneDrive, as is the system’s preference. These documents could have been sold or analyzed for further PII (personally identifiable information).
- Taken remote control of the PC – as the hacker had control of the client’s Microsoft account, they had Administrative access to her PC. The actor could have installed keyloggers, malware, ransomware, or other persistent artifacts.
- Taken full control of the smart home – With e-mail and Amazon account access, it would have been trivial for a bad actor to have taken over the entire smart home – Blink cameras, Ring doorbells, lights, and Echo devices. At the least, it’s creepy. At the worst, it could be dangerous.
- Moved laterally to financial accounts – Instead of targeting e-commerce sites, the hacker could have moved into financial, investment, insurance, or other personal accounts. This may have lead to a larger financial loss.
- Performed a SIM swap – The hacker could have used any one of a number of services to attempt to intercept text messages. If they had control over the e-mail account at the same time, they would be able to gain control over every account protected by a two-factor code by text.
Lessons in defending against hacking
As I say in all my security talks – “Everyone and everything is hackable, with enough time and effort.” Even the most seasoned security professionals and hardened systems can fall prey to a determined enough adversary. Don’t be embarrassed if a security breach happens to you!
If you react quickly and rationally, you can prevent breaches from getting worse. Set down your device and stop clicking! Seek help from someone you trust (NOT the 800 number blinking “computer help” on the screen).
While it’s hard to cover all security issues with one tip list, here are a few lessons learned from this incident:
- Use good password and security hygiene. Yes, complicated passwords are hard to remember. Try combinations of words – length often beats complexity. Use different passwords for every place you log in if you can (a password manager can help with this). Change your passwords regularly.
- Keep your devices up to date. UPDATES ARE GOOD! (99% of the time) Unlike the “old days” of computing, updates very rarely break your device. They are intended to provide you with critical fixes and new features. Take them when you can.
- Your e-mail account is the front door to many other accounts. First, your username is often your e-mail address. Second, the most common way to reset your password on other sites is to get an e-mail sent to you. If your e-mail is hacked, watch for forwarding and filtering rules!
- Your accounts have access to more than you think. Gaining access to Microsoft gives access to the One Drive, Microsoft Office subscriptions, and more. Amazon access allows movement across the Echo, Ring, and Blink ecosystems. Google and Amazon have associated clouds and services.
- Know your ISP, particularly if you use them for your primary e-mail. Make sure you know how to verify your identity with your internet service provider. Do you have a “customer code” or secret PIN setup? Do you have a secret question? You will need this information to prove your identity if you’re ever hacked.
- Know how to spot a SIM swap. Call your phone company right away if you ever get a sudden “No SIM” or “No Service” message on your phone. Someone may be attempting to intercept your texts. Your phone company may also be able to put a “SIM lock” on your line. You would have to call and verify every time you want to use a new phone.
- Despite being an extra step, use two-two factor authentication wherever you can. You really only need to enter the second code after a long period of inactivity or when accessing a site from a new device. This way, even if your password is leaked, the hacker would need a secondary code to gain access. Try to use an authenticator app if possible. If that isn’t available, try to use a text message. The last resort should be a two-step code via e-mail.
- Watch your credit. I recommend all my clients either watch their credit regularly or subscribe to a credit monitoring service. Credit Karma and other free services are useful for watching credit changes. Lifelock and other paid monitoring services help you watch credit changes and provide support in case of an identity breach.
How can we help you?
Lökwest has years of technology consulting experience. If you’re experiencing a security issue or have any technical questions, we’re here to help! Just click on the chat icon or contact us today!