Topsec engineers have noticed a disturbing trend in a certain type of email that we would classify as Social Engineering. While we have blocked a significant amount of these, some will always leak through spam filters.
Basically the email is sent using the full display email address or Domain to match that of the intended recipient email address or domain.
The email states that the sender has hacked your computer and/or mailbox (using the fact that they are using your email address to send the email as proof of this). It mentions a password that will be familiar to the end user. This now has the end user worried. Surely they must be telling the truth if they have all this information, right? They may go on to say that it has installed something on your machine which has allowed them to look at your web browsing or take control of your web camera. They may say that they have seen some unsavory or compromising material on your computer or have seen you do something dodgy via your web camera and tell you they have recorded it and they will release this onto the internet unless you pay a certain amount in Bit-Coin.
So what is the actual truth of this situation with these particular emails?
First off: Your mailbox/Computer has NOT been hacked. The would-be hacker is not in control of your machine or your web cam and is not looking at your browsing history.
They are not in control of your mailbox. The reason the sending address looks like the targets email address is because it’s a display address and a sender of email can make a display email address look like it has come from anywhere they want. This has always been quite a legitimate practice but in the last few years it has also become a handy method for spammers and malicious mail senders to target their approach to victims in regards to social engineering type emails.
The reason they have a password you are familiar with is because they have bought lists on the dark net.
These lists are as a result of breaches in recent years of organisations data, see below a sample list. If the user in question is still using these passwords anywhere they should be encouraged to change it immediately.
- Snap Chat
- Paddy Power
- Domino’s Pizza
There are many more listed Here.
So what do we advise?
You can do a sanitary check on your organisations domain by going to: https://haveibeenpwned.com and clicking on Domain search. It will give you a list of email addresses that are affected and what breaches they were part of. If any of your company email addresses come back as being part of a breach then you can get the users in question to change their passwords. So for example, if they were part of the LinkedIn breach, ensure they change their passwords for LinkedIn and anywhere else they use the same credentials if they have not done so already. Make it clear that they should not be using work email addresses and definitely not work related passwords for any non-work related online activity.