Mount Royal employees are receiving emails from a vendor that are actually replies to a legitimate message. As the message is a reply and it is from someone we do business with, employees have been tricked into opening the attachment more than once putting our network at risk.
How the heck did they manage to reply to a message that the vendor had sent ages ago? Simple, the vendors email account was hacked. Once the hackers had access to the email account all they had to do was scroll through the emails in the sent folder until they found one that mentions an invoice and reply to it. Of course they attached an edited invoice containing a nice little keylogger trojan onto it first.
Those that opened the attachment found a blank document and then contacted the Service Desk to see why. The Service Desk calmly explained all their keystrokes were being recorded by malware they had unintentionally installed and then sent support staff to re-image (wipe clean and re-install) their machines.
Unfortunately this is not the first time that Mount Royal University has been targeted by this type of attack. Late last year another vendor had their email account compromised and multiple Mount Royal staff members received replies to an old meeting invite containing a document that “required their input”. That document contained malware as well and once again we were re-imaging machines.
How do you know when an email from a vendor contains a malicious link or attachment? Truthfully, you don’t. The only red flag on either of these emails was the date of the original message. The email thread was months old and was used in the attack because it contained a subject that would allow an attachment to be added to it without looking odd. However, a recent message could also have been used if it had contained the right content.
So how do you protect yourself from such attacks? You call the vendor when you receive an email with a link or attachment and confirm that they sent the email. You do not reply to the email as if their email account has been compromised, you will be conversing with the hacker. Do not use the contact information found in the email to contact the vendor either. The hacker may have changed the email signature. Use a contact number that you find in a Google search or that you have used before.
Yes, horrors, you have to actually pick up the phone and talk to a person. However, it will practically eliminate the risk of having your machine wiped clean and the operating system re-installed. Not a fun way to spend the morning.