by “Anonymous”
For a couple of days we were getting calls to our home phone, but when we answered, no one was there. It seemed odd—were they prank calls? Fundraising? No caller ID was displayed. Then, we realized that my husband’s email accounts hadn’t received the usual new emails overnight.
But later that morning, strange text messages and email alerts appeared:
- “Welcome to your new Walmart+ Account!”
- “Confirm your password change request on PayPal”
- Notices of new sign-ins for multiple Google accounts on new machines
- Notice of AOL password change
- Unexpected Two-Factor Authentication (2FA) code requests
We’d been hit—the bad guys targeted multiple accounts within a span of 12 hours.
- Our oldest/legacy email account password was changed.
- Our Comcast account password was changed.
- A fraudulent Walmart+ subscription was created and paid for with our credit card.
- Multiple gift cards were purchased on established accounts (Best Buy, etc.).
- Multiple orders for merchandise were made to various vendors with a California delivery address.
- Airline miles were used to buy gift cards.
- An application for a new credit line in my name was made using my Social Security number
- Our PayPal account password was compromised; fortunately, no funds were paid to others.
How did it happen?
- Old credentials float around the web in data dumps (“the dark web”) and can include email addresses, account passwords, phone numbers, and Social Security numbers. This was the likely path of the attack.
- When the old email account was accessed and the password changed, it allowed them to forward all emails to them.
- Next, they accessed our Comcast account and changed the password. This allowed the hackers to forward all of our phone calls to them (and it explains the short phone call rings!). Calls to our phone were being re-routed to a number in California where they could validate the 2FA requests.
- So, by forwarding both our emails and phone calls, they could approve 2FA requests and change our passwords on multiple accounts.
But how did they change the initial email account password? Most likely through Human Engineering.
What is Human Engineering? This involves taking advantage of human emotions to gain private information, access, or valuables and luring unsuspecting users (or tech support reps) into giving access to restricted systems. The criminal contacting a service provider impersonates the true account owner and has enough identifying information (from the dark web data) to convince tech support to change the password on the account.
How did we figure out that this was a cyber attack? We saw multiple clues:
- The first Comcast password change itself is hard to explain otherwise as they had enough information to be convincing in their request for “help”.
- Even after we started to recover our accounts, our email password was changed a second time within hours as tech support was again convinced by the hackers with a sob story that they didn’t reset it correctly.
- Once we recovered the PayPal account (thanks to biometrics), we reviewed the tech support chat log where the criminals were emotionally pleading that they needed to send money to a family member in crisis.
Where we went wrong
- A few “legacy / old” accounts (like a decades-old email account) did not have an updated password or 2FA.
- We didn’t have 2FA set up on Comcast, our phone service provider.
- Our login credentials from some legacy shopping sites did not have updated passwords with 2FA, so they ended up being the primary targets of the attack.
- If you use 2FA via calls/texts, your phone provider account absolutely must be secure. Ours, unfortunately, was not.
What saved us!
- Having Two-Factor Authentication (2FA) enabled, including biometric factors on many critical accounts such as PayPal.
- Having pre-defined alternate email addresses for a number of accounts to allow us another way to access and reset our credentials.
- Recognizing the barrage of alerts as a sign that a larger attack was underway.
- Having the numbers to call to report fraud with credit cards, banks, and credit bureaus. We were quickly able to stop the attack, and all of the charges and credit rating records were reversed.
What to do if you’re a target of a cyber attack
- Act Fast! Every hour allows attacks to multiply.
- Report the fraud to the police—it is a crime!
- A comprehensive list of steps to take is available from the Delaware Attorney General’s Office: https://attorneygeneral.delaware.gov/fraud/cpu/idtheft/
- Contact the Credit Bureau agencies (Equifax, Experian, Transunion) to report the fraud and put a freeze on your account.
- File a complaint with the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/Home/ComplaintChoice.
- You can also report the fraud to the Federal Trade Commission at https://reportfraud.ftc.gov/, or by phone at 1-877-382-4357 (9:00 AM – 8:00 PM, ET).
Even better—take steps to prevent a cyber attack
- Review our SecureUD Best Practices and familiarize yourself with the ways in which you can keep your online identity safe from criminals.
- Consider keeping your credit bureau accounts frozen—you can temporarily turn off the freeze if you are applying for credit.
- Use unique passwords for your web logins, especially if they are used for payments. And don’t forget to check “old” accounts! It’s easy to be complacent, especially if you’ve had certain online accounts “forever”. These are the credentials that are easiest for criminals to discover.
- Enable Two-Factor Authentication on any account that is used for payments to make sure that someone who obtains your password can’t do damage. Ways to set up that second factor include:
- Having the account send you a text message or phone call to get a 2FA code to authorize access.
- Using a mobile app (like Google Authenticator, Microsoft Authenticator) to receive 2FA Codes.
- Setting up biometric authorization—face reader, fingerprint reader, etc.
- Defining an alternate email address (if available) that will be notified in the event of suspicious activity.
- To make it easier to manage all of your login credentials, use a password manager tool.
It’s an unfortunate reality that there are fraudsters out there constantly looking for opportunities to access your accounts and steal your data. By staying alert, following best practices, and taking advantage of the available tools, you can keep your data safe and secure.