How to lose most of your digital life, while you sleep...

hacker-email-sms.png

While we all hear doom and gloom stories about cybersecurity risks on a pretty frequent basis, it's helpful to get a glimpse into what it is like to experience a serious cyber attack from a determined hacker.

Attackers have many different reasons to target people. In the case of Sean Coonce, an engineer in San Francisco, he was targeted for his crypto currency. Sadly, as a result of this devastating attack, he lost $100,000 in Coinbase while he was sleeping. Fortunately, for the rest of us, Sean took the time to write in detail about how it happened. So, I wanted to highlight his story, so you can understand what the experience is like. It happened over a period of a day or two, without him doing anything, other than seeing a few strange messages on his mobile phone.

Your email account, and your mobile phone are often the biggest targets     

As you will learn if you read Sean's story, the attacker found a way to have his mobile phone's identity transferred to a device they controlled. It's not clear from the article, but this might be done by "social engineering" or tricking a mobile carrier's customer support rep into thinking you want to transfer your account to a new device.

The reason they would do this is to intercept the SMS messages that come during the next step of the attack, when they try to reset your email password. As you have probably seen, many websites now use SMS text messages as a "second factor" of authentication, or as a "backup" method of confirming your identity when you "forget" your password. This is what happened to Sean.

So, once the attacker is able to reset your email password, they have access to the email account that most of your other web-based accounts are linked to. So, whenever a password reset request is done at any of your other accounts, the confirmation email will be sent to your email account and will be accessible by the attacker. This is how the attacker gained access to Sean's Coinbase account, and transferred out $100,000 in crypto cash.

Think of all the other ways this attack might be attempted, and might work on you   

You may not have any crypto-currency, as Sean did, but chances are great that much of what is of value to you in your digital life is tied to your primary email account and your mobile phone, much in the same way that Sean's was. It could be anything, including iCloud photos, online bank accounts, stock trading accounts, online dating profiles, or maybe even your password manager.  

Sean points out in his article, what clues he had that something wasn't right, and what he might have been able to do to stop the attack if he had been more vigilant when he saw those first clues.

Security Tips

1 - Individuals: Think about what valuable online accounts you access that are tied to your primary email account? It might be a good idea to use a different email account as your login or recovery email for important online accounts.  

You should also make sure you have turned on any available "two step" or "two factor" login authentication, to make it harder for an attacker to access accounts with just a stolen password. Sean had this feature enabled, but the SMS messaging used by his email provider was not as strong as using an "authenticator" app like Google Authenticator. Authenticator apps also provide second factor of authentication, but they don't rely on your mobile phone number, and are not as easy for attackers to break into. 

2 - Managers: As more organizations provide mobile phones to employees for business purposes, this same kind of attack could happen to an enterprise, as well. While I'm not aware of any at the moment, it is probably a good idea to ensure that all business accounts that rely on email for password resets have proper security measures in place to mitigate this kind of risk.  

At Click Armor, we believe that using real life stories, learning games and immersive exercise scenarios are the best way to teach cybersecurity awareness, and to change bahavior. If you have any stories to share about security risks you've encountered, or if you'd like to discuss how Click Armor can improve your resistance to attacks that target individuals or employees, please contact us.