In the first case, my customer was pretty sure that she fell for a phishing attack in which she thought she was entering her email password for a legitimate reason (securing her account), but really she was entering her password on a forged website made to look legitimate. In the second case, my customer had no idea how the hacker got her email password. Yahoo has had several massive attacks where accounts and passwords were stolen, so perhaps that is how it happened.
In the first case, this is the email the hacker sent out from my customer’s account:
Subject: Favor…..<customer’s name>
I need a favor from you. I’d appreciate if you could email me back asap.
If replied to, this was followed by:
I need to get a Nordstrom Gift Card for my Nephew, Its his birthday but i can't do this now because I'm currently traveling. Can you get it from any store around you? I'll pay back as soon as i am back.
Kindly let me know if you can handle this.
In the second case, this is the email the hacker sent out:
Subject: Help…...<customer’s name>
I hope your week is going great? Actually, Please I need to get an eBay Gift Card for my niece, its her birthday but I can’t do this now because I’m currently traveling, Can you help get it from any store around you? I’ll pay back as soon as I am back. Kindly let me know if you can handle this so I can tell you how much to get.
Thank you so much,
If the victim (i.e, the person receiving the email) falls for this, the hacker will then ask for the gift card numbers after which they can easily drain the gift card of it’s cash value.
Upon being contacted by my customers, here is what I did and what you should do should this happen to you:
1) Via any web browser, log into your email account
2) Change the password. If you used the same or similar password on other accounts, change them there too. Pick great passwords!
3) Check all your email settings to make sure they are correct. In particular:
- Check the reply to field to make sure it is your email address
- Check if an automatic forward or automatic reply has been set (if you can’t find these settings, you may need to change your email view to basic; this is the case on Yahoo)
- Check email rules and filters to make sure none have been set
- Check your signature if you have one
- Check your account recovery information
- Add two factor authentication
- Change the answers to your security questions so that they are false. You should do this here and everywhere. It can simply be done by adding another word to the end of your security question answer.
In my customers’ cases, I found the following settings:
- Every email was automatically forwarded. In one case, a gmail account had been created in the customer’s name to receive the forwarded emails
- A rule with the name of “.” was created to move every received email into either the Archive folder or the Trash folder
This hack can happen to anyone. Be vigilant in case it happens to you!