Recovering from a Phish

Thursday, August 05, 2010

Guy Pace

9fd81843ad7f202f26c1a174c7357585

Phishing happens when you get an email that looks like it is from a bank, PayPal, your email provider, your college or school, your business, or the system administrators supporting your organization.

It is successful when you “bite” by clicking on a link in the email or replying to the email with requested information. The phishers then reel in your credentials, personal information or financial account data and use it for criminal purposes.

If you respond to a phish, you usually give up your email account and password, your network login and password at work, bank account and PIN or credit/debit card and PIN, or your PayPal credentials. The criminals that harvest this information apply it almost immediately.

Your email account is used to spew more spam or similar phishing email; your network credentials are leveraged to gain access to your company’s network and data; your financial account information is used to steal your money and commit fraud.

OK, found got help as soon as you realized what happened. Your friend or system admin helped you get your password changed and the bank helped you stop the bleeding from your checking and savings accounts.

You are embarrassed and the bank account is a little lighter. Your friends think you are a professional spammer. The damage is done, but you have your accounts and access back under control and it is all over, right?

Maybe.

Remember, someone just had full control of your accounts or credentials. What changes could that person have done to your email, your network account, your financial accounts, that could let them continue to have access or regain access?

In recent incidents in my work life, we found that changes were made to email accounts to include Outlook Web Access rules that sent all “Sent” email to the Deleted folder, as well as all incoming email.

Signature blocks were changed or replaced with spam links  or malware links.  Basically, anything that a normal user can change or modify in Outlook or a web mail account was or could have been changed by the person in control of the account.

With financial accounts, the person in control could modify the contact information in the online bill-pay profile, and reset other notification settings. They could even set up automatic payments.

If a network access account was compromised, the person in control may have dropped spyware or a keylogger on your desktop workstation. This is possible even on a home system.

Depending on your level of access with network credentials, they may even have created additional accounts on your system. If you normally use a local administrator account (which is a very bad thing to do and you should never give up those credentials to a stranger), these things are trivial to do.

Aftermath

In the aftermath, you should carefully walk through your email account, web mail access, Outlook, and verify that the settings are as you remember. Look at everything, signatures, rules, stationary--all settings. Ask a knowledgable friend to help you look it over if you feel a bit intimidated.

For financial accounts, you can visit your local bank branch and get help in going over your account settings, contact information and bill-payer setup.

For your work computer, have the system administrator or desktop support tech go over it with the tools they normally use for malware detection and checking for rootkits. Use similar trusted tools on your home computer. If you are not familiar with scanning and detection tools, get help in checking and cleaning up your computer.

Remediation

Prevention is relatively simple. Don’t click on links in email. Period. Banks and your organization do not send email asking for your account information. They just don’t. Neither does PayPal, eBay, Twitter or other services. If you see email asking you to click on a link, delete it.

Just delete it.

Cross-posted from Rapier57

Possibly Related Articles:
8404
Phishing
Phishing fraud
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.