Gmail breach and fake addresses

[Deckin Around]

FYI- don't send electronic payments without triple checking with the payee, that should be s.o.p.
So I was told a gmail breach was announced last summer.
About 3 weeks ago I started getting emails saying that I had signed up to random pages that had nothing financial and mostly no sales related which was weird. 30+ legit pages like alumni associations at major colleges like ASU I didnt attend, Car and driver, Butcher block, nature conservation groups, recipe sharing, biking group, etc. I'm not even sure how or if that played into the bigger scheme.
I changed my password and have been deleting/unsubscribing through gmail and not the email links themselves.
About the same time, in my hundreds of emails, my former business partner and the head of our/his company's AP and I were emailing about a payment that was due and they were sending me.
An email address exactly the same as mine but with 1 letter off was created and started emailing the AP lady as if they were me, even the same slang verbiage and abbreviations were used. The subject, my signature and the previous legit emails were copied and pasted to look like it was the same chain..... then the email asked her to please ACH transfer the funds and gave her a #.... which she did without calling me. (She'll probably lose her job over this)
The virus must be waiting for an email with key words like payment and dollar amounts and then slides in and attempts to take over the convo with a slightly different email address. The exact same thing happened to one of their electrical subs also during the same time. I heard a few years ago this was happening with people wiring money to title/escrow companies and losing all their house $.

That's a huge hit of $ for the company to lose and they already had a $40k check to a sub stolen earlier in 2024. In that case, and a DBA was opened in the same name as the sub (easy to do but someone's name or fake name/ID is connected to it). A bank account was also opened and they deposited the stolen check and withdrew funds the next day when it cleared. My partner didn't know until the sub asked about the payment a week later.

I hate electronic banking and don't put any bank apps or payment stuff on my phone. Now I just want to keep my money buried somewhere.

 

[RiverDave]

 

[rivermobster]

Man, this is the OG scam that has been around forever.

They log into your email (because you don't have 2 step authentication enabled) and then just sit there and read your emails.

You don't know this. Cause they don't DO anything, but watch.

I know someone that lost half a mil to this scam. He eventually got most of it back, but he was out that money for a Long time, just waiting.

Everyone reading this Needs to have two step, with a Authentication app, enabled on all of your email accounts.

If you don't...

Someone else is most likely reading your emails right now.

 

[sintax]

Man, this is the OG scam that has been around forever.

They log into your email (because you don't have 2 step authentication enabled) and then just sit there and read your emails.

You don't know this. Cause they don't DO anything, but watch.

I know someone that lost half a mil to this scam. He eventually got most of it back, but he was out that money for a Long time, just waiting.

Everyone reading this Needs to have two step, with a Authentication app, enabled on all of your email accounts.

If you don't...

Someone else is most likely reading your emails right now.

yup, I used to run the email SMTP backbone for one of the US's largest escrow companies. This type of spearfishing is a daily occurrence.

As good as we were, there's always some clown out there goofing up and approving a 10+ million dollar wire. I'd say we had 2-3 incidents a year where wires in the millions went out to some black hole account

 

[gqchris]

So the reason they Scatter Spam you with all those signups is to hopefully distract you that you are compromised and breached and not see them sending out correspondence to your vendors. A smoke screen of sorts.

Here is the bad news, you need to assume all of your vendors and financials are compromised and notify them, especially your big ones

. Your email was compromised many days if not months ago. Not a virus, you probably did not have MFA like mentioned and they used a known password.

Who is your IT Company or Guy? You need to make sure there are not rogue rules in place etc.

I can be hired to help if needed. You should also think about your security postures in other ways as well.

And someone losing a job over this is pretty harsh. People have done this in the millions at large firms. It happens DAILY by the minute. We teach to always confirm by call of any wires and electronic funds movement.

 

[gqchris]

yup, I used to run the email SMTP backbone for one of the US's largest escrow companies. This type of spearfishing is a daily occurrence.

As good as we were, there's always some clown out there goofing up and approving a 10+ million dollar wire. I'd say we had 2-3 incidents a year where wires in the millions went out to some black hole account

Social Engineering at its finest !

 

[sintax]

Social Engineering at its finest !

yup, and best of all, they just would sit back and wait for the .... "the deals ready, please forward me your wiring instructions when you can"

GOTT'EM

 

[gqchris]

yup, and best of all, they just would sit back and wait for the .... "the deals ready, please forward me your wiring instructions when you can"

GOTT'EM

Title Companies get POUNDED! I feel bad for the buyers who lose everything due to fraud wires.

 

[rivermobster]

yup, and best of all, they just would sit back and wait for the .... "the deals ready, please forward me your wiring instructions when you can"

GOTT'EM

Just waiting and watching for that one big payday...

SCORE!!!

 

[was thatguy]

Last year the CFO of the company I work for was at a lunch meeting finalizing a large contract with a long time client.
I don’t know the contract but with this client we can assume multiple 7 figures with an up front retainer.
While at the meeting, the clients company email account dinged up a new email from our CFO requesting the deposit and future payments be wired to XYZ address.
The potential thief had been lying dormant in our CFO’s legit email account for weeks…just waiting. He/ they knew all the details and the day of signing and the amounts.
If the 2 party’s had not been sitting face to face with each other when the email was sent, it is possible the money would have been wired to the thief.

I just finished 6 weekly project PII micro lessons this morning, and our annual 2 hour online lesson on company internet security policies and procedures.
We are a drilling solutions company. Our number one threat above all other liabilities is online security.

 

[samsah33]

My company requires verbal confirms thru a known number (either already on file or public website) for changes to banking info or new banking info before sending any cash. We also keep vendor master files locked down with limited access for this reason.

Not long ago my AP Manager sent an email to my Treasury Manager telling him to change some vendor banking info in the system. Treasury emails AP asking if the new bank info has been confirmed. AP emails back and says yes, we got an email confirmation. Treasury emails back saying you know we need to get a verbal. AP emails back and says yes I got a verbal. Treasury stands up and shouts across the bullpen "which is it, did you call or email?" AP looks at him and says "what are you talking about...?" Bloody scammers were in AP's email and actively emailing Treasury and deleting Treasury's emails in real time...!!!

Money is like water, if there's a hole, it will flow thru... Be diligent!

 

[rivermobster]

Speaking of treasuries...

I just read this article this morning:

China Hacked Treasury Dept. in ‘Major’ Breach, U.S. Says

The episode comes at a particularly sensitive moment, just as the Biden White House is dealing with one of the most far-reaching, and damaging, hacks into American infrastructure in the cyberage.

www.nytimes.com

 

[Singleton]

Sister got scammed last year.
Someone spoofed an employee at Lloyd’s of London and sent my sister payment data for a transfer. Everything looked accurate, same e-chain, same wire transfer template, etc. Difference was small typo in address.
Sister submitted the payment ($4.5M) and later that day when Lloyds did not confirm receipt, shit hit the fan.

FBI got involved. End of day, my sister did not have enough wire fraud insurance on her business. She had 2M in coverage, which covers almost all wires, except the wire for 1 customer.

A settlement with Loyd’s was reached, both parties had to pay $125k of the 250k deductible so Lloyd’s insurance would cover the lose. Even though a Lloyd’s employee was spoofed, my sister still had liability, since she did not catch the issue prior to payment being issued. Now all wire instructions are confirmed via voice, text and e-mail.

 

[mbrown2]

Most of these email hacks coming from Adversary in the middle (AiTM) attacks. You not only need 2FA with authenticator app matching numbers or code, no voice or SMS text....but even 2FA can be hacked with AiTM cause normally it starts with someone falling for it and giving away their credentials and thus adversary is able to create binds to the inbox, and they change a number of rules to cover their tracks. They also have techniques to keep the session alive. You need to have info sec look at your conditional access policies and insure access to your company's digital assets, email, slack, teams, sharepoint, apps, are only coming from trusted devices (devices built with certain properties affiliated with your domain). You also probably want to insure they have some sort of identity protection so you can pick up anomolus activity regarding where signins/access is occuring from. From an email security standpoint there are number of off the shelf tools... Abnormal and Proofpoint come to mind that can help with the phishing..

 

[was thatguy]

My company requires verbal confirms thru a known number (either already on file or public website) for changes to banking info or new banking info before sending any cash. We also keep vendor master files locked down with limited access for this reason.

Not long ago my AP Manager sent an email to my Treasury Manager telling him to change some vendor banking info in the system. Treasury emails AP asking if the new bank info has been confirmed. AP emails back and says yes, we got an email confirmation. Treasury emails back saying you know we need to get a verbal. AP emails back and says yes I got a verbal. Treasury stands up and shouts across the bullpen "which is it, did you call or email?" AP looks at him and says "what are you talking about...?" Bloody scammers were in AP's email and actively emailing Treasury and deleting Treasury's emails in real time...!!!

Money is like water, if there's a hole, it will flow thru... Be diligent!

Yep
Same thing
Real time

 

[TimeBandit]

this is a good password: 77jhfR)[J~%zmj

this is a bad password: LuckyDog7

Whats on your gmail?

Plus 2 step and authenticator if available or used by that website.

 

[BabyRay]

These recent security threads are great! I’m sorry about people getting hit by scams, but I sure appreciate hearing about them, and all the tips that have been provided.

to RDP.

 

[rivermobster]

this is a good password: 77jhfR)[J~%zmj

this is a bad password: LuckyDog7

Whats on your gmail?

Plus 2 step and authenticator if available or used by that website.

You can use any password you want, as long as you have an authentication app in place.

But yeah...

All mine are computer generated, and someone Still managed to figure one of em out!

How do I know?

I got the Deny or Approve message on my authentication app. Someone in Indiana or some shit like that.

I hear you knocking, but you can't come in!

 

[gqchris]

Most of these email hacks coming from Adversary in the middle (AiTM) attacks. You not only need 2FA with authenticator app matching numbers or code, no voice or SMS text....but even 2FA can be hacked with AiTM cause normally it starts with someone falling for it and giving away their credentials and thus adversary is able to create binds to the inbox, and they change a number of rules to cover their tracks. They also have techniques to keep the session alive. You need to have info sec look at your conditional access policies and insure access to your company's digital assets, email, slack, teams, sharepoint, apps, are only coming from trusted devices (devices built with certain properties affiliated with your domain). You also probably want to insure they have some sort of identity protection so you can pick up anomolus activity regarding where signins/access is occuring from. From an email security standpoint there are number of off the shelf tools... Abnormal and Proofpoint come to mind that can help with the phishing..

Piggybacking on this, I noticed that applying a CAP for all countries except USA really stops a ton of failed attempts. I know some pros will use VPN, but it stops alot of the opportunists.

 

[rivermobster]

Piggybacking on this, I noticed that applying a CAP for all countries except USA really stops a ton of failed attempts. I know some pros will use VPN, but it stops alot of the opportunists.

I've blocked user agents with solid success.

 

[caribbean20]

So without reading all the detail here, what if you just change your password from time to time? If someone were just “sitting there reading my emails,” wouldn’t this prevent them from signing on after the password change?

 

[HTTP404]

The threat actors love to use LinkedIn for reconnaissance. They can easily gather the ID's of the entire c-suite and figure out their emails and even cell numbers. And if any of those c-suite idiots are talking up business relationships online it makes it even easier for the bad guys.

 

[HTTP404]

Piggybacking on this, I noticed that applying a CAP for all countries except USA really stops a ton of failed attempts. I know some pros will use VPN, but it stops alot of the opportunists.

Exactly, I don't need china looking at my shit. I don't do business with them.

 

[OCMerrill]

This is not related directly but my 83 year old mother was scammed out of $16k about 3 weeks ago.

They knew her info (because they have been reading her Yahoo Email for God knows how long), posed as Wells Fargo, told her there was fraud, and she bought into all their instructions. She wired the money. Its truly sad because she really has no money. I cant blame Wells Fargo either and all the reports were taken but it happens all the time. Her Homeowners Insurance is just condo coverage and there is nothing there for her.

I could go into this more because she was on the phone with them for 3+ hrs and all the bullshit they told her to do.

The really shitty part is apparently she doesn't trust me enough to even ask me. I was home and would have stopped the whole thing. But now I am funding the mess until she can manage to save something to live off of.

 

[HTTP404]

So without reading all the detail here, what if you just change your password from time to time? If someone were just “sitting there reading my emails,” wouldn’t this prevent them from signing on after the password change?

It can help but you absolutely need multi factor authentication (MFA) for everything. I don't know of many online services that don't support MFA.

 

[HTTP404]

This is not related directly buy my 83 year old mother was scammed out of $16k about 3 weeks ago.

They new her info (because they have been reading her Yahoo Email for God knows how long), posed as Wells Fargo, told her there was fraud, and she bought into all their instructions. She wired the money. Its truly sad because she really has no money. I cant blame Wells Fargo either and all the reports were taken but it happens all the time. Her Homeowners Insurance is just condo coverage and there is nothing there for her.

I could go into this more because she was on the phone with them for 3+ hrs and all the bullshit they told her to do.

The really shitty part is apparently she doesn't trust me enough to even ask me. I was home and would have stopped the whole thing. But now I am funding the mess until she can manage to save something to live off of.

Our elders need to be convinced to never engage in large financial transactions without letting family know what is going on. Thankfully my folks reach out on anything suspicious.

 

[caribbean20]

It can help but you absolutely need multi factor authentication (MFA) for everything. I don't know of many online services that don't support MFA.

Got it, and thanks for the reply. Furthermore, at least for my Apple stuff, every time I sign on with a new device, I get multiple alerts on all other Apple stuff, literally alarm bells going off, iPhone, Mac, watch, you name it. If a bad guy were signing on to my account, wouldn’t I get an alert on my other devices?

 

[OCMerrill]

Our elders need to be convinced to never engage in large financial transactions without letting family know what is going on. Thankfully my folks reach out on anything suspicious.

She has quite the attitude at times. She is the finish your sentence type. I told her she must call me and she said she will handle it. German woman. I'm adopted and am 75+% Irish so relating to her attitude I simply don't.

 

[was thatguy]

So without reading all the detail here, what if you just change your password from time to time? If someone were just “sitting there reading my emails,” wouldn’t this prevent them from signing on after the password change?

It kind of depends on how they breached it in the first place. But generally yeah, change them regularly and use a manager and generated passwords.

What really sucks is when the hacker changes it for you and locks you out.

 

[napanutt]

I’ve told this story before. When we bought our house here in NH we were still in CA but flying out to NH to close. We were all set for a wire transfer but both our realtor and escrow in NH said a cashiers check was probably the safest. So I carried a 400,000+ check in my wallet across the country.
A bit intimidating but it worked out.

 

[C-2]

This is not related directly buy my 83 year old mother was scammed out of $16k about 3 weeks ago.

They new her info (because they have been reading her Yahoo Email for God knows how long), posed as Wells Fargo, told her there was fraud, and she bought into all their instructions. She wired the money. Its truly sad because she really has no money. I cant blame Wells Fargo either and all the reports were taken but it happens all the time. Her Homeowners Insurance is just condo coverage and there is nothing there for her.

I could go into this more because she was on the phone with them for 3+ hrs and all the bullshit they told her to do.

The really shitty part is apparently she doesn't trust me enough to even ask me. I was home and would have stopped the whole thing. But now I am funding the mess until she can manage to save something to live off of.

That's my exact fear..."I didn't want to bug you."

I lost sleep last night because we changed my 87-year old MIL's online banking password to something I'm not comfortable with.

Today I'm thinking to myself...wait a minute. Why does she even need online banking? She doesn't use it and she doesn't understand it.

When i see her again in a few days I will tell her to get rid of it. It was set up by other family members, and I know the bank encourages it because of the "it helps reduce paperwork" narrative.

Nope, start sending paper statements again is what we will tell them.

 

[OCMerrill]

That's my exact fear..."I didn't want to bug you."

I lost sleep last night because we changed my 87-year old MIL's online banking password to something I'm not comfortable with.

Today I'm thinking to myself...wait a minute. Why does she even need online banking? She doesn't use it and she doesn't understand it.

When i see her again in a few days I will tell her to get rid of it. It was set up by other family members, and I know the bank encourages it because of the "it helps reduce paperwork" narrative.

Nope, start sending paper statements again is what we will tell them.

I installed a locking mailbox for her a couple years ago. Every time I stop by I check...unlocked.

Its super challenging to train someone who just won't listen.

I called her just after I wrote the initial post. She is on the phone with the Social Security Administration, on hold while they verify her accounts.
On a Friday night I said...then, I'm not stupid...ok mom. Oh my I am so challenged with her.

 

[C-2]

I installed a locking mailbox for her a couple years ago. Every time I stop by I check...unlocked.

Its super challenging to train someone who just won't listen.

I called her just after I wrote the initial post. She is on the phone with the Social Security Administration, on hold while they verify her accounts.
On a Friday night I said...then, I'm not stupid...ok mom. Oh my I am so challenged with her.

Today we were joking about mailing letters from inside the post office.

Why?

So a postal employee like that supervisor at the Adams branch in CM can intercept them?

We're all fawked, we really are.

 

[OCMerrill]

Today we were joking about mailing letters from inside the post office.

Why?

So a postal employee like that supervisor at the Adams branch in CM can intercept them?

We're all fawked, we really are.

That Costa Mexico PO is nuts. I agree completely.

 

[angiebaby]

Man, this is the OG scam that has been around forever.

They log into your email (because you don't have 2 step authentication enabled) and then just sit there and read your emails.

You don't know this. Cause they don't DO anything, but watch.

I know someone that lost half a mil to this scam. He eventually got most of it back, but he was out that money for a Long time, just waiting.

Everyone reading this Needs to have two step, with a Authentication app, enabled on all of your email accounts.

If you don't...

Someone else is most likely reading your emails right now.

So if you do that, do you have to run the authenticator app every time you want to check your email?

 

[gqchris]

So if you do that, do you have to run the authenticator app every time you want to check your email?

No. There is sonething called Tokens which once you are authenticated, they time out usually in 60 days or so.

Google also has their own recipes on when to ask you to login and they recognize your own devices and really dont bug much.

There are some sites that require MFA all the time. Quickbooks is one of them and also some security tools etc.

 

[Deckin Around]

Piggybacking on this, I noticed that applying a CAP for all countries except USA really stops a ton of failed attempts. I know some pros will use VPN, but it stops alot of the opportunists.

I've blocked user agents with solid success.

please elaborate, I googled CAP for email accounts and got nothing. Is this something I can do with gmail? I searched the security options and no results.
Thanks

 

[rivermobster]

please elaborate, I googled CAP for email accounts and got nothing. Is this something I can do with gmail? I searched the security options and no results.
Thanks

Not really. What I was referring to is a server level function. Since I run my own server for all of my website clients, I can block any country from my entire server, or just an individual client account.

Free services (Gmail, Yahoo, etc...) are not able to do that for you.

 

[rivermobster]

So if you do that, do you have to run the authenticator app every time you want to check your email?

Not if you stay logged in.

 

[gqchris]

please elaborate, I googled CAP for email accounts and got nothing. Is this something I can do with gmail? I searched the security options and no results.
Thanks

Sorry that was IT talk to the other IT guys that replied. CAP = Conditional Access Policy. I dont support Google tenants, so I dont have an answer on how it applies to Google. I do suggest migrating to Microsoft though as they are the gold standard for business email especially if you plan to get larger. Or already large?

i highly recommend thinking about getting expert help if you are a business. Things to think about also now that this has come up is backups, disaster plans, endpoint detection response, etc

Not trying to be a hard ass, but this is the world we live in and its sucks!

Bare minimum, change your password, check your recovery options in your Google Profile, activate MFA or passkey, look for mail rules in your google settings, change any other accounts that used your gmail password. Reach out to vendors, let them know to watch out for any potential further compromised emails.

 

[C-2]

It was also mentioned you can check Gmail activity settings to make sure nobody else is sitting in on your email session.

Ask the Internet what your IP address is, then compare it to the IP addresses that Gmail logs; make sure they are the same. Understand when you are using your phone, your IP address may change frequently. But Google also "fingerprints" your browser, including your phone browser, and they will flag any "new" or unfamiliar devices that are logged into your email.

You just need to pay attention to those warnings, because that's what they are telling you - a new or unrecognized device is logging into your email.

Lower right corner of Gmail on the desktop;

then click details

 

[C-2]

Do we need more classes before we chat about Canary Tokens? It seems they have a robust offering of services compared to the bare-bones webpage of the past

 

[rivermobster]

Gmail has lot of built in security features.

But they are useless if you don't set them up!

Yes, it's a leaning curve, but the alternative is a learning curve you you really don't want to be involved in.

 

[rivermobster]

Do we need more classes before we chat about Canary Tokens? It seems they have a robust offering of services compared to the bare-bones webpage of the past

I'm interested. What's this?

Know. Before it matters

Canarytokens is a free tool that helps you discover you’ve been breached by having attackers announce themselves. The tokens allow you to implant traps around your network and notifies you as soon as they are triggered.

canarytokens.org

 

[lbhsbz]

Today we were joking about mailing letters from inside the post office.

Why?

So a postal employee like that supervisor at the Adams branch in CM can intercept them?

We're all fawked, we really are.

I visit the post office daily to make an evening dropoff of packages to go out, usually in a large tote over my shoulder. I walk right past the line through the little gate that says "authorized personel only" and stack them straight in big cart behind the counter. If the cart is full, the workers at the counter instruct me to head in back and find an empty cart to dump my packages in....no security, no nothing. Absolutely nothing to prevent me from grabbing a handful of someone else's mail while I'm back there and walking out with it. It's absurd really, but this is the way I've been instructed by the employees to do things.

 

[C-2]

I'm interested. What's this?

Know. Before it matters

Canarytokens is a free tool that helps you discover you’ve been breached by having attackers announce themselves. The tokens allow you to implant traps around your network and notifies you as soon as they are triggered.

canarytokens.org

It used to be a simple concept. If an attacker compromised your computer, the first thing they did was look for your passwords file – the one you saved and named “passwords.”

A Canary Token was a small piece of code buried within a file that would alert the owner of the token when the file was opened by an attacker.

It would identify their IP address and put a cryptographic hash (a “digital fingerprint”) on their browser/equipment, and it would track where the document was forwarded to, how many times the file was opened , from where it was opened, and for how long etc.

The idea was for you to create a fake “password” file on your computer and insert a Canary Token onto the file. You would name it… “password file” so the attacker would find it on his search of your computer.

So when you received an alert from a token – you knew you were compromised. And you had the attacker’s details.

But now it looks like they offer a bunch of different interesting services.

 

[C-2]

Mobster - now that you're retired you should see if the local community college offers the Cisco Networking Academy and Cisco Security. You learn a lot.

And you can also be the old guy on the cybersecurity team in mock collegiate network security competitions.

 

[rivermobster]

Mobster - now that you're retired you should see if the local community college offers the Cisco Networking Academy and Cisco Security. You learn a lot.

And you can also be the old guy on the cybersecurity team in mock collegiate network security competitions.

If I had the time...

I'd take a PHP coding class. The problem is, I smoked So much weed in my younger days, id forget it all in 5 min!

 

[mbrown2]

This is not related directly buy my 83 year old mother was scammed out of $16k about 3 weeks ago.

They knew her info (because they have been reading her Yahoo Email for God knows how long), posed as Wells Fargo, told her there was fraud, and she bought into all their instructions. She wired the money. Its truly sad because she really has no money. I cant blame Wells Fargo either and all the reports were taken but it happens all the time. Her Homeowners Insurance is just condo coverage and there is nothing there for her.

I could go into this more because she was on the phone with them for 3+ hrs and all the bullshit they told her to do.

The really shitty part is apparently she doesn't trust me enough to even ask me. I was home and would have stopped the whole thing. But now I am funding the mess until she can manage to save something to live off of.

That is terrible...just awful...I work in the cyber field and see tons of these attacks. It is still high percentage of companies, but threat actors know defenses are low for individuals, so they are targeting high net-worth or elderly as they are easy targets. Unfortunately, all the personal data is on the dark web due to the big hacks as well as former passwords or hashes to passwords; so its easy for them to recon targets. With AI and the voice and video matching its gonna get worse...was talking to another CISO recently and he did a quick five-minute recording of himself using some easily available AI based deep fake software...played a 30 sec simulated clip from the 5 min recording and the his two teen sons could not spot the fake. These technologies are only going to get better. Lots of regulation in development for AI, but the bad guys won't be playing by the rules.

 

[Smupser]

I just got bombarded with hundreds of junk emails in the last hour. I hope I’m not screwed