This isn’t a post on how to install or setup two-factor authentication with Google Apps or Gmail – that information exists already.
This is a reminder based on a client’s experience today and how it was resolved.
I received an email from a client today, with the subject of “The Files” – which was timely as one of the team were working on their new website.
I quickly saw it and realised it was fake, see below.
I spoke with them later in the day and took a look what was going on. Here’s what appears to have happened:
Attacker got in with their password (which featured a capital and 4 numbers – so not as obvious as “password”).
Attacker found an email in their sent mail and copied the signature.
Then they started sending spam out to all contacts and appending the real signature so it looked really legitimate.
Contacts would reply and they would then reply saying something like: “Hi, Is this legit? It looks like spam” to which the attacker would then reply saying “Yes, these are those files you need” (paraphrasing).
Then they covered their tracks and deleted all the emails.
After we reset their logins, emails were still being trashed which was odd.
I then looked at Gmail filters, and there were 30 rules created that were trashing and permanently deleting all the evidence so that the victim may not even notice what was going on.
For example, if the email subject equals “The Files” then mark as read and trash.
The user was doing all this via a browser and did a creepily good job of covering their tracks. The fact they were replying to people and telling them to click the link was pretty creepy indeed.
This is why you should use strong passwords and enable two-factor authentication on all your web services.