+ More on the phishing saga
Aug. 30th, 2021 08:35 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
yuuagoWell, I think I managed to clear up my parents' phishing problem. I really wish that I'd been able to do that right away, but here we are.
Details under the cut, mainly for my own reference, though possibly some other people will find it helpful if they encounter anyone else who gets into a similar mess. It seems to have been a low-tech method that works by fooling people into giving away information; no downloads and no trackers, as far as I can tell.
My mom received an email that claimed to be from Microsoft. It said that her account needed to be updated/verified, and that she should click the link in the email to do that.
It was classic phish - email address wasn't from Microsoft, subject was attention-getting and had emojis in it, and of course the context/unsolicited requirement for information. Anyway, she clicked it, and it took her to a fake Microsoft Outlook page, where she put in her email and password info. Going by what she told me about it, I'm guessing that on the back end this was just a regular form, and that's how the scammer got her info. This happened on Thursday evening.
Then, on Friday morning, the scammer logged in to her email in the usual way. They then proceeded to do a combination of password phishing and classic gift card scam:
1. They sent out a bunch of vaguely worded Requests For Help to people in my parents' contacts list, from my parents' email.
2. They then changed the display name of my parents' email from my parents' name to something like MICRO Service, and sent out a bunch of emails similar to the one my mom clicked, with phishing links.
2b. I can't quite remember, but I think they also deleted these emails from the Sentbox.
3. They set up an email Rule to have all mail received by my parents' email forwarded to an email account that looked very similar (one letter off) AND automatically delete these messages from my parents' inbox, so there was no immediate sign that something was wrong or that anything had been received.
4. When someone replied to the vague request for help, the scammer would reply from the fake email saying that their friend had cancer and they needed money in the form of gift cards, and to send a photo of the back of the gift card with the info shown. They also said that they couldn't do this themselves because they were out of town and they had no cell service. (I know this because I asked a relative to forward one of these emails to me so I could look at it.)
This all seems to have gone down on Friday, with no activity since then.
Now, as far as I can tell, it's just pure coincidence that my parents were actually out of town when this happened; there was no info anywhere in my parents' emails that would indicate that they wouldn't be home - they hadn't mentioned it anywhere. Still, it made the whole thing even more unnerving. I do think that they must have read some of my parents' emails - my father's name is the display name on the account, but they signed the exchanges with my mother's name. She's the one that sends/receives personal emails most frequently.
I turned off the deletion/forwarding, fixed the display name, and obviously did a password change. Checked for evidence of loggers in the downloads and the processes; turned up nothing. Ran various scans, which also came up clean. Everything seems to be normal. I will definitely be looking into doing a clean wipe of the computer (when I have more time) but it honestly looks like there were no tracking or downloads involved, which is a relief.
I am definitely going to do some kind of basic cybersecurity overview with them sometime soon. I put all the emails into a folder for reference, so at least now we have lots and lots of examples of what phishing and gift card scams look like. щ(◉Д◉щ)
Details under the cut, mainly for my own reference, though possibly some other people will find it helpful if they encounter anyone else who gets into a similar mess. It seems to have been a low-tech method that works by fooling people into giving away information; no downloads and no trackers, as far as I can tell.
My mom received an email that claimed to be from Microsoft. It said that her account needed to be updated/verified, and that she should click the link in the email to do that.
It was classic phish - email address wasn't from Microsoft, subject was attention-getting and had emojis in it, and of course the context/unsolicited requirement for information. Anyway, she clicked it, and it took her to a fake Microsoft Outlook page, where she put in her email and password info. Going by what she told me about it, I'm guessing that on the back end this was just a regular form, and that's how the scammer got her info. This happened on Thursday evening.
Then, on Friday morning, the scammer logged in to her email in the usual way. They then proceeded to do a combination of password phishing and classic gift card scam:
1. They sent out a bunch of vaguely worded Requests For Help to people in my parents' contacts list, from my parents' email.
2. They then changed the display name of my parents' email from my parents' name to something like MICRO Service, and sent out a bunch of emails similar to the one my mom clicked, with phishing links.
2b. I can't quite remember, but I think they also deleted these emails from the Sentbox.
3. They set up an email Rule to have all mail received by my parents' email forwarded to an email account that looked very similar (one letter off) AND automatically delete these messages from my parents' inbox, so there was no immediate sign that something was wrong or that anything had been received.
4. When someone replied to the vague request for help, the scammer would reply from the fake email saying that their friend had cancer and they needed money in the form of gift cards, and to send a photo of the back of the gift card with the info shown. They also said that they couldn't do this themselves because they were out of town and they had no cell service. (I know this because I asked a relative to forward one of these emails to me so I could look at it.)
This all seems to have gone down on Friday, with no activity since then.
Now, as far as I can tell, it's just pure coincidence that my parents were actually out of town when this happened; there was no info anywhere in my parents' emails that would indicate that they wouldn't be home - they hadn't mentioned it anywhere. Still, it made the whole thing even more unnerving. I do think that they must have read some of my parents' emails - my father's name is the display name on the account, but they signed the exchanges with my mother's name. She's the one that sends/receives personal emails most frequently.
I turned off the deletion/forwarding, fixed the display name, and obviously did a password change. Checked for evidence of loggers in the downloads and the processes; turned up nothing. Ran various scans, which also came up clean. Everything seems to be normal. I will definitely be looking into doing a clean wipe of the computer (when I have more time) but it honestly looks like there were no tracking or downloads involved, which is a relief.
I am definitely going to do some kind of basic cybersecurity overview with them sometime soon. I put all the emails into a folder for reference, so at least now we have lots and lots of examples of what phishing and gift card scams look like. щ(◉Д◉щ)
Yuu. Fic writer & book lover. M/Canada.
no subject
Date: 2021-08-31 07:11 am (UTC)no subject
Date: 2021-08-31 01:12 pm (UTC)no subject
Date: 2021-08-31 05:28 pm (UTC)no subject
Date: 2021-08-31 10:14 am (UTC)Here's hoping your parents remember from now on!
no subject
Date: 2021-08-31 01:14 pm (UTC)I actually find it kind of interesting, because it makes perfect sense - the first email was sent from the real account, so the people on the contacts list don't think to check the subsequent ones and realize that they're from a fake. I just wish I'd found out about this in some other circumstance.
no subject
Date: 2021-08-31 06:46 pm (UTC)no subject
Date: 2021-09-01 02:42 am (UTC)When they don't try to change it, sending emails and setting up email rules is normal account behaviour, so the account owner wouldn't be notified that anything's amiss, and wouldn't realize that anything is going on until someone decides to call them about the weird messages.
But I'm just spitballing here.