Or…How a security expert can fall for a phishing scheme
Think no one will target your business with phishing attacks? Think again…
This confession is a bit hard for me. Just recently I was the target of a phishing attack. And I got sucked in! What’s more, my habit of using the same passwords for certain web sites, despite the fact that I know better, made it even worse.
I’m hoping that coming clean by writing publicly about this will have a therapeutic effect and maybe, just maybe, help someone else avoid a successful phishing attack against them or their company.
The Set-Up
We own a cabin in north central Minnesota at which we haven’t been able to spend much time in the last couple of years. Rather than selling it, we decided to rent it. We created an LLC called Botz Landing. (Get it?) We listed it on the Vacation Rental by Owner (VRBO) web site. When a potential renter wants to ask a question or make a reservation, the web site sends me an “inquiry” email. VRBO wants owners to respond to these messages quickly. The email contains the name of the person, the dates in which they are interested, and several links. One of these links takes you to the dashboard on the VRBO web site where you can respond without the renter seeing your email address. Each property has a listing number and that is included at the end of the subject line.
One of these emails showed up in my inbox one afternoon a few days ago. I was busy working on something else. The inquiry was a request to rent over Christmas. I thought I would talk to my wife before I responded. Later, at about 2:00 in the morning, I finished up what I was working on and remembered that I hadn’t responded to the inquiry yet.
The Tells
At this point I started running into several clues that, had I been more alert, should have made me examine the email more closely. But I wasn’t as alert as I would normally be and I didn’t examine the email closely enough. A quick glance seemed to show that the email looked like all of the other inquiry messages that I’ve received.
Rather than clicking the “respond to inquiry in dashboard” link on the email, I navigated directly to the dashboard at the VRBO web site. The first clue that I missed was that the web site showed no inquiry for my property. “That’s strange,” I thought. But I wanted to respond to that inquiry. So I went back to the email.
There are two affiliated web sites: VRBO and HomeAway. HomeAway purchased VRBO at some point within the last year or two. You can choose to be listed on both (costs more) or just one. We chose to only list on VRBO. While everything about the contents of the email looked OK, the sender was HomeAway and not VRBO. Not being real certain about how the two web sites interact, I thought this might be an explanation for why my VRBO dashboard didn’t show an inquiry. Of course, this was another clue that I missed. I should have checked into this and made sure I understood if and how the two web sites interact. I didn’t.
The Sting
Being an impatient person by birthright, and wanting to get to bed, I went back to the email and clicked the link in the email. Wouldn’t you know it? My Gmail login apparently expired sometime during the evening. Instead of being brought to the VRBO or HomeAway web site, I was taken to a perfectly valid looking Google account login page. As I said, being the impatient person that I am, I dutifully filled in my Gmail ID and password, and then clicked the login button.
At this point, I expected to be forwarded to the VRBO or HomeAway web site. However, nothing happened. At first I was irked. I spent a few seconds thinking about it and realized that I may have just done a dumb thing.
A quick look at the URL for the Google login page affirmed that I had done a dumb thing. The URL was something like “http://www.earthlink.net/~wild9048.” Then I went to the inquiry email and looked at all of the URLs for the links on the page. They all pointed to the same place! Then I looked at the property number for the inquiry. It wasn’t my property number! Yet more missed clues. But alas, I now realized everything I had done wrong!
After audibly uttering a decidedly uncouth four letter word, I resigned myself to the fact that I had to change my Google password. “Such a chore,” I thought. I have an android phone and tablet and I was going to have to figure out how to change my Google account password on those devices. Not long after that, I remembered the To-Do item I put on my list about 12 months ago – change my Google password to something other than what I use for a few of my financial institutions.
The Fix
Now the race was on. I had no idea what else may have happened when I clicked the nefarious link. So I decided to use my tablet to change my financial institution passwords. I also use a free “password vault” service to store all of my important URLs, userIDs, and passwords. So not only did I have to change passwords on a total of six different web sites, I also had to update my password vault. And of course, being somewhat anal, I needed to test each of the new passwords from my web browser and through my password vault utility.
Of course, knowing that I was roughly 50% responsible (I’m giving the attacker 50% responsibility) made me also want to use much more complicated passwords than I had used previously (even though the password I was using was rated “strong” on most sites). This makes typing the new passwords more error prone. Not to mention that I had to come up with six entirely different and more complicated passwords! I had to do most of this from my tablet on which I am even more likely to mistype passwords because I didn’t know if I could trust my PC.
And because I wasn’t sure about whether a keystroke grabber may have been downloaded, I didn’t want to just type the new passwords into the password vault on my PC. Making this more complicated is that the phone and tablet version of the password vault lets me see what my passwords are, but they don’t let me change them or add new sites. So I had save each password to a file, move it from my device to my PC, open the file, copy the password to the clipboard, and then paste it into the appropriate entry in the vault.
This ended being about a two-and-a-half hour process, after which I did a deep antivirus scan with Vipre (the AV product I happen to use) and then scheduled another one with Malwarebytes.
The Fallout
I haven’t seen any malicious activity on any of my financial accounts. The antivirus and Malwardbytes scans didn’t find anything, but that only provides a small warm fuzzy because the site could have downloaded malware that hasn’t been identified yet.
It also takes me two or three attempts to log in to my Google account and the financial sites. I always think that I remember what I chose for a particular web site, enter it, and get an authentication error. I always assume that I mistyped it the first time. If it errors out again, I have to open my password vault, find the right entry, copy the password, and paste it in. I hope I get better at remembering these in the future. Unfortunately, I don’t visit these sites on a daily basis, so it’s going to be hard.
The cost to me is hard to measure in dollars. It has cost me a total of about 15 hours so far including investigation, reporting, searching for malware on my system, and lost productivity. It has also cost me immensely in terms of peace of mind. I’m very lucky that I came to my senses as soon as I did. The actual dollar cost could have been very large indeed.
Obviously, the Botz Landing vacation rental business is smaller than small. Yet it was the target of an apparent spear phishing attack. If Botz Landing is a target, I assure you every single business in existence is a potential target. You had better make sure that you and your fellow employees are aware of these types of attacks and what to look for.
What You Can Do
There are really only two things you can reasonably do to protect yourself and your organization from these types of attacks: education and good information security management process and procedures.
Training
There’s no way to get around teaching everyone in the company about phishing attacks. Executive level management is especially prone to spear phishing attacks (attacks aimed at specific individuals). But all employees need to know what to look for, what to do, and what not to do should they receive a phishing email. It can be so easy for an employee to give up their userID and password to web page they believe they’ve been pointed to by the IT help desk. There are at least a couple of companies that specialize in this kind of training. Good training will also include tools for testing during and after training. Given my experience, I think it makes sense to look into a good training program.
Process
The other thing that will protect you against phishing attacks – especially those aimed at getting userIDs and passwords – is to have a rock solid information security management process. A security management process is the only way to know whether you have protected the “right” information with the “right” controls. Phishing attacks are often aimed at the general employee because many IT departments “trust” their users. But attackers tend to use existing user profiles. If they can crack one employee’s userID they have access to everything!
If It Happened to Me…..
To sum it up: mea culpa. I learned from this incident that the statement “it doesn’t matter how small you are” (something I often tell my relatively small customers) is absolute – not relative. It doesn’t matter if you have ten employees, 100, or 10,000. I know. It happened to me.