Received a call from a bookkeeper of a small Auburn business. A client of theirs called stating they had already paid their bill but were still receiving invoices. The bookkeeper had not seen the payment, nor any emails from the client since the bill went out several weeks earlier. The client then emailed the owners of the business and cc’ed the bookkeeper. The owners received the email but the bookkeeper did not.
I had a remote session with the bookkeeper and logged her into her Microsoft 365 Online account. Together we reviewed her Outlook Rules and discovered a rule sending all her correspondence with the client to the RSS Subscriptions folder and marking them as read.
This is the most common way threat actors steal money:
–They send you an email that looks legitimate.
–You click on a link that opens a familiar-looking site where you enter your email credentials.
–Threat actor captures the credentials and uses the credentials to log into your email online. They search through your emails looking for a good target. In this case, a client who pays via wire transfer.
–Threat actor creates rules sending correspondence between you and the client to an email folder you never look at, such as RSS Subscriptions (check Outlook-the folder is there but chances are you’ve never looked at it)
–Threat actor corresponds with your client as you. They send information to a different bank account for the payment/wire transfer.
It all looks very legitimate to the client. In this case, the client paid over $20,000 to the threat actor. The client also refused to do business with the local company, costing the company over $40,000.
What I did:
Immediately
- Had the bookkeeper change her password.
- Logged the bookkeeper’s profile out of all sessions using the M365 Admin Portal.
- Scanned her PC for viruses.
- Had the bookkeeper review the list of users, confirming all were legit and not added by a threat actor for persistence.
For the Company to Improve Security
Removed Admin Privileges from Standard Users
- Noted this user and several others were M365 Admins. This is a big security no-no. Threat actors can create users, change passwords, and view the emails of other users through an admin account. I created a separate admin account with a strong passphrase and changed all users to standard accounts (with the business’s permission of course).
- Noted users’ domain logins were Admin. Users should never be logged in as admin. If they click a link or otherwise get their PC infected, the malware can spread faster and easier via an Admin account. I changed everyone to a standard account and gave select users a separate admin account that is for UAC (User Account Control) use only. This allows the admin users the chance to review what is being installed on a PC to confirm it is legitimate before entering credentials to install.
MFA (Multi-Factor Authentication)
- Enforced MFA on all email accounts and walked each user through setting up and using. This took 15-45 minutes per user depending on their comfort level with MFA.
- Worked with users to enforce MFA on all web-based accounts, such as QuickBooks Online, Dropbox, Google, and their banks. MFA reduces the security risk of a company by over 90%.
Password Security
- Discovered users had 4-character passwords (while on the phone with a user I heard her click four keys to log in and got light-headed). Changed their domain to require 14+ character passphrases that use at least:
- One upper case letter
- One lower case letter
- One special character
- One number
- Worked with each user to understand, create, and implement passphrases (a phrase that is easy for you to remember but difficult for others to guess, that has numbers and special characters built in for complexity): such as ch0colate C@ke. This way users never have to write down their passwords.
- For some users, the passphrases were still difficult. I implemented Windows Hello for these users, creating simple pins that can only be used locally, and installing fingerprint readers.
- Worked with users to make sure they used different passwords for all sites.
Backups
- Discovered their server backups were not working. The USB hard drive had been dead for months. Set up Windows Server Backups onto a new USB external storage device.
- For some users, the passphrases were still difficult. I implemented Windows Hello for these users, creating simple pins that can only be used locally, and installing fingerprint readers.
- Wrote an easy-to-follow document for their cloud backups. Had their main architect follow the document and confirm he could restore a file to his laptop while off-premises.
- Tested the backups by placing a test doc on the server, waiting for the backups to occur, then restoring the test doc from both the local backup and the cloud backup.
Updates
- Noted their server had not received Windows Updates in over two years. Ran a backup, confirmed the backup was successful by testing, then updated the server.
- Noted some PCs were still on Windows 7. Worked with the company to replace these PCs, including configuring and installing software.
Firewall and VPN Security
- Worked with an admin user to review and remove users who did not need VPN access.
- Worked with users to make their VPN passwords complex and different from their domain and email passwords.
- Confirmed the firewall’s admin credentials were changed from default, with the credentials stored in a secure location.
- Reviewed the firewall, turning off unneeded features and reducing the company’s exposure.
Security training
- Had several short training sessions with users to help them learn to spot malicious emails.
- Used Microsoft’s built-in tools to send spoof malicious emails, testing and training the users.
If you own a business in and around Auburn, California, and would like to have any or all the above security enhancements set up, please call or email me:
Shelle Parsons
530.368.0073
Such A Nerd IT