Corban Technology Solutions Journal
My email has been hacked!
Posted on May 24th 2019
By Stan Shaw, Founder, CTS
Not really. At least not now.
Not really. At least not now.
But I am sharing this as a rather personal case study, because I received multiple email messages designed to look as if I had been. And all of them were criminal extortion attempts.
But I am sharing this as a rather personal case study, because I received multiple email messages designed to look as if I had been. And all of them were criminal extortion attempts.
It all began about two weeks ago when I started to receive multiple messages like the one below.
It all began about two weeks ago when I started to receive multiple messages like the one below.
The message was interesting. But what really made me take notice is that the email seemed to be coming from my account.
The message was interesting. But what really made me take notice is that the email seemed to be coming from my account.
I was aware that messages like these, designed to basically bluff their way into extorting victims, had been appearing for well over a year on the Internet. All seemed to follow a similar format. And have been pretty much discounted as fake. In my case, the threat was laughable. I simply don't do those sorts of things.
I was aware that messages like these, designed to basically bluff their way into extorting victims, had been appearing for well over a year on the Internet. All seemed to follow a similar format. And have been pretty much discounted as fake. In my case, the threat was laughable. I simply don't do those sorts of things.
My real concern was, did the scammer really hack into my email account?
My real concern was, did the scammer really hack into my email account?
The "from:' and "to:" fields certainly looked legitimate.
The "from:' and "to:" fields certainly looked legitimate.
And if you hover over the "x" icon beside my email address where a photo normally appears, my photo, phone and other profile content is displayed.
And if you hover over the "x" icon beside my email address where a photo normally appears, my photo, phone and other profile content is displayed.
I was also aware that anti-SPAM software can sometimes mislabel legitimate messages. Therefore, whether or not Google flagged it as SPAM (which in this case it did). this definitely needed to be investigated.
I was also aware that anti-SPAM software can sometimes mislabel legitimate messages. Therefore, whether or not Google flagged it as SPAM (which in this case it did). this definitely needed to be investigated.
The first thing I checked, of course, was my "sent" email folder. The received message was not there. I was happy to see this, but it still didn't prove the account had not been hacked.
The first thing I checked, of course, was my "sent" email folder. The received message was not there. I was happy to see this, but it still didn't prove the account had not been hacked.
The good news is that there is an easy way of finding out how that email really got into your inbox. To do this, simply click on "Show Original" using Gmail, or the equivalent option when using other email systems.
The good news is that there is an easy way of finding out how that email really got into your inbox. To do this, simply click on "Show Original" using Gmail, or the equivalent option when using other email systems.
This lets you see the underlying header codes, which show where messages came from, and how they have been routed through the Internet on its way to your inbox.
This lets you see the underlying header codes, which show where messages came from, and how they have been routed through the Internet on its way to your inbox.
Once the headers were displayed, this is what I found.
Once the headers were displayed, this is what I found.
The headers, which start with the word "Received: from " should be read chronologically from bottom to top — the oldest, which is where the email actually originated from, is at the bottom.
The headers, which start with the word "Received: from " should be read chronologically from bottom to top — the oldest, which is where the email actually originated from, is at the bottom.
So, I looked at the bottom of the mass of headers that were there, and found that my message had actually originated from a computer located in Texas.
So, I looked at the bottom of the mass of headers that were there, and found that my message had actually originated from a computer located in Texas.
But before it got to me, it was sent through a Microsoft server. And then, to Iran.
But before it got to me, it was sent through a Microsoft server. And then, to Iran.
A fascinating journey.
A fascinating journey.
What this case study demonstrates is that forged email addresses are a tried and true method of impersonating the sender.
What this case study demonstrates is that forged email addresses are a tried and true method of impersonating the sender.
The email was sent through a rogue SMTP server that has been known for sending spam. My guess is that the message itself likely originated from a botnet running on an infected computer in Plano Texas. We are following up on this. What is more important for me to know at this time is that the email headers proved the message I received did not come from our systems.
The email was sent through a rogue SMTP server that has been known for sending spam. My guess is that the message itself likely originated from a botnet running on an infected computer in Plano Texas. We are following up on this. What is more important for me to know at this time is that the email headers proved the message I received did not come from our systems.
However, not every case is as simple as this. If you suspect something is not quite right, especially on a clinical office system or personal device that is used to access your EMR, you must assume you have been breached. This could be a very serious situation, so it should be treated it as such. For this reason,
However, not every case is as simple as this. If you suspect something is not quite right, especially on a clinical office system or personal device that is used to access your EMR, you must assume you have been breached. This could be a very serious situation, so it should be treated it as such. For this reason,
Investigating a possible IT security breach in a healthcare clinic is something best left to a qualified IT security specialist.
Investigating a possible IT security breach in a healthcare clinic is something best left to a qualified IT security specialist.
They have the skills and training to correctly diagnose the problem, and rapidly work towards securing your systems, if, in fact, they were actually compromised. In the meantime,
They have the skills and training to correctly diagnose the problem, and rapidly work towards securing your systems, if, in fact, they were actually compromised. In the meantime,
Here's what you can do to survive
Here's what you can do to survive
These are based on recommendations by our business affiliate, KnowBe4, a leader in preventing social engineering related security breaches.
Rule Number One:
Rule Number One:
Use anti-SPAM software throughout your organization. But don't blindly trust that anti-SPAM will protect you. The next survival rules could save your clinic considerable grief.
Use anti-SPAM software throughout your organization. But don't blindly trust that anti-SPAM will protect you. The next survival rules could save your clinic considerable grief.
Rule Number Two:
Rule Number Two:
Stop, Look, Think! Use that delete key.
Stop, Look, Think! Use that delete key.
Rule Number Three:
Rule Number Three:
Did you spot a "red flag" that makes you wonder if that email is legitimate? Verify it with the sender via a different medium.
Did you spot a "red flag" that makes you wonder if that email is legitimate? Verify it with the sender via a different medium.
Rule Number Four:
Rule Number Four:
"When in doubt, throw it out." There are a thousand ways that Internet criminals will try to scam you. There is only one way to stay safe. Stay alert. YOU are the last line of defense.
"When in doubt, throw it out." There are a thousand ways that Internet criminals will try to scam you. There is only one way to stay safe. Stay alert. YOU are the last line of defense.
And finally, educate your staff.
And finally, educate your staff.
We can help through extremely beneficial in-person workshops, and on-line training programs designed to protect your health clinic or business anywhere in BC.
We can help through extremely beneficial in-person workshops, and on-line training programs designed to protect your health clinic or business anywhere in BC.