Don’t Let Your Guard Down
It seemed perfectly legitimate and was cleverly assembled into a request from someone I do know in my network, had met and we had communication in the past…. but it was not
Over the course of the next 90 minutes, I managed to compromise 3 separate accounts of my own on the Microsoft servers, burn up endless time trying to track down the originator of the Phishing attempt and confirm my own, late suspicions that this was a Phishing attack and I’d compromised some of my accounts.
But first things first, what is the overriding lesson and your incremental step when it comes to any note, LinkedIn connection or reach out you receive
Trust No One
The sad reality fo the age we live in is your defenses have to be on high alert all of the time
If you do get duped, as I did, you next and immediate step before doing anything else:
- Log into every account you entered the credentials for and change the password(s)
In my case, this was 3 separate accounts!
Hopefully, because you followed previous advice in this post Securing your Accounts (and Your Life), you won’t need step 3 because none of your passwords are re-used and you have a password manager that creates random passwords for every account. If that is not true then you are in a whole host of trouble……. Even if the account compromised is some off the beaten track account, using a spare or throw away email your in trouble because now whatever password you use will be incorporated into the credential stuffing attacks and used against multiple account ID’s that may well include your regular email linked to say your bank account.
Learn from My Stupidity
The Original Request from LinkedIn
I have concealed the details of the individual on LinkedIn, the company linked to the proposal, since they are not at fault
Which resolved to a link that was a bit.ly link, using the name of the person the request came from (a nice touch to reduce your suspicions). And as an added bit of protection, I claimed that bit.ly link before some smart alec used that for some more fraud and phishing. Clicking on the links in this document too you to a Google Drive document in PDF format (an image with no links below)
Clicking on the link (there were multiple but they all ended up in the same place) took you to this page
Where they wanted you to enter your Microsoft credentials. The page looked like the typical Microsoft Authentication page
Like an idiot I did, failing to “authenticate” with a couple of accounts I tried again thinking it was due to the different types of accounts you can create with Microsoft, some that have access to MS Office 365 applications and others that are just an empty account with a little free storage and good for linking gaming or similar activities. It was only after the third attempt of entering credentials I got suspicious and dug into the links thinking to myself:
What a Dipstick!
The first link in Google drive could be legitimate and there was no way of knowing where or who’s account this was tied to. But the first hint of a problem is if this was a real request why did I need to click on another link and then enter credentials. It was a clever ruse as this is an increasing requirement when you interact with health systems who require you to log in to access a message in their vague attempt to satisfy the drumbeat of HIPAA
What was the base domain (the piece at the beginning of the URL): http://lorografic.com as you can see the accompanying screenshot showing the first part of the web page address followed by a string of unintelligible characters. So your next incremental step is to look at the URL and remove all the trailing text and see where the top-level domain web page ends up.
Clicking on that link resolves to a shopping site possibly based in Lima Peru. Hmm well, that’s just a little suspicious!
At this point realizing how stupid I had been I dropped everything and wasted a good 30 minutes changing all the passwords for the 3 accounts that I had entered and given the hackers access to.
Incremental Step
Act Fast when you realize you have given up credentials
Then I wanted to let the originator know their account had been compromised but my contact information was out of date from an old role they were no longer in so the email was old and I had no cellphone number. Well, LinkedIn often has personal contact info for people so I went looking there and sure enough there was a different “personal email” listed. But my Spidey senses were or super-duper-high-alert and the domain (bit-ion.net) seemed suspicious
The webpage at that location has been parked. In other words, someone has registered it but not put up a web page. Not suspicious on its own but taken together with all the other data worth digging into. So who owns that domain. At this point, you need to use some online tools to look up the domain owner with a WhoIs search for that domain
The results are telling – not least of all when you see the creation date was just a week ago and any contact info is concealed (which is legitimate and found on many domains)
Domain Name: BIT-ION.NET
Registry Domain ID: 2437018324_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2019-09-25T11:10:00Z
Creation Date: 2019-09-25T11:10:00Z
Registry Expiry Date: 2020-09-25T11:10:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse@namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.DNSOWL.COM
Name Server: NS2.DNSOWL.COM
Name Server: NS3.DNSOWL.COM
But that confirms it for me and the balance of my time was trying to reach the person who’s account had been compromised hoping they could reclaim it and stop the Phsiing messages. I also posted a quick note on LinkedIN as this individual had lots of connections and I was betting they were all getting similar notes/requests
Ultimately this scheme used all of these domains for their Phishing Scheme
- bit-ion.net
- drive.google.com
- lorografic.com
I sent alerts to the abuse email addresses hoping that they would kill the links and accounts (but not very hopeful as this is a Whack-a-mole kind of activity)
Take Away Lesson
The big lessons is
Trust No One. Even if you think the individual is someone you know their account could easily have been compromised
On the internet, nobody knows you’re a dog