Have you ever received an email from yourself, only you didn’t compose or send it? You can probably guess that this is a cybersecurity issue. What better time than now to discuss how this sort of thing can happen, since it’s National Cybersecurity Awareness Month. The goal is a safer and more secure online experience.
Here’s the story.
I have a copy of an email from someone I’ll call “Marty” addressed to “Marty.” (That is, both the “to” and the “from” email addresses are identical.) Only Marty did not send himself the email. It was composed and sent by someone else, a hacker who “spoofed” (faked) his email address.
This is how the email began: “I have very bad news for you.”
The writer explained that he hacked Marty’s operating system through a vulnerability in his router software: “Check it out. This email came from you.”
Then came a threat. The spoofer made it clear that Marty’s good name and business were in jeopardy, since the spoofer had the ability to access photos, etc., and would change them to include images that would be offensive.
He demanded that a certain dollar amount, paid in bitcoin, be deposited into the spoofer’s bitcoin wallet, and gave a 48-hour deadline. Just in case Marty was inexperienced in bitcoin, the spoofer offered some reassuring advice: “Marty, it’s easy. Just Google it.”
To make sure Marty was paying attention, the spoofer made it clear that he had been spying on Marty for a while ... ever since the original hack.
Then came the guarantee: Marty will go unharmed if the payment comes on time. And a DON’T DO list: Don’t bother trying to reformat the computer or antivirus — it’s too late.
The email finished with another veiled threat (the spoofer is experienced at this game), a reason to make payment (trust me to live up to my side of the deal) and a friendly signoff (be sure to update your antiviruses so this doesn’t happen to you again).
Marty’s next steps? Accept that he was spoofed. File a complaint with the FBI. Review cybersecurity protocols in place. Identify vulnerabilities. Set up best practices for the future. Decide whether to follow the FBI’s guidance to forgo paying the ransom.
While you may not have been targeted with such an attack (yet), it pays to be prepared. Here is the FBI report you need to read: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations” at https://www.ic3.gov/media/2019/191002.aspx.
There, you will find information on this type of cybercrime, what to do if you are targeted (report the incident to authorities; don’t pay the ransom), methods of preventing becoming a victim and cyber defense best practices (you never know when you’ll have to play defense).
Prevention is not simply a matter of installing anti-spam software. Here are two examples of further steps to take:
1) Have procedures to review “common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.”
2) Audit your network to see if there are protocols for using Remote Desktop Protocol. Close unused RDP ports. Apply two-factor authentication.
Here are additional resources:
The FBI’s Internet Crime Complaint Center (to report a complaint) at https://www.ic3.gov/faq/default.aspx.
The Anti-Phishing Working Group (apwg.org), which includes ISPs, security professionals, financial institutions and law enforcement agencies.
The National Cyber-Forensics & Training Alliance’s website (https://www.ncfta.net/resources-2/) has a list of additional organizations, such as #NoMoreRansom, a public-private partnership between law enforcement and industry leaders, and Fraudsupport.org, a program for victims created by the Cybercrime Support Network.
Visit the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency website at https://www.cisa.gov/cybersecurity for a wealth of helpful materials.
To see an FBI video on the subject, go to https://www.fbi.gov/video-repository/ic3_112117.mp4/view.
By the way, even the FBI has been impersonated. See “Impersonation of the Internet Crime Complaint Center” (February 2018) at https://www.ic3.gov/media/2018/180201.aspx.