A friend of mine was recently a victim of a phishing scam which was quite elaborate. The story begins where most of them do – with one of those emails that your IT department constantly reminds you not to open. She clicked on the attachment therein – a miscalculated action that kicked off a series of events that left her over $1,000 poorer. The attachment was an excel file that obviously had a script to do either one of these things: a) download an executable file on the PC and commandeer the machine, or b) Retrieve cookies from the browser’s history and send the files to a server in Estonia. Whatever the method used, the hacker was able to log in my friend’s Amazon account and more importantly her gmail account, the holy grail of all accesses.
Here is where it gets interesting – it took all of my inner Columbo to figure it out. First, the hacker accessed the gmail account and set a filter to delete all emails coming from Amazon. Second, the hacker accessed Amazon and retrieved my friend’s full name and shipping address. They then signed up for UPS My Choice using my friend’s name, address and email. Remember they already have access to the email. If you don’t know, UPS My Choice allows you to track all packages shipped to you; enables you to schedule a delivery time and, you guessed it, route your shipments somewhere else if you are away from home.
At this point the stage was set for our hacker to execute the final phase of their devious plan. They logged back into Amazon, ordered a laptop and chose next day shipping. The best part is that all they simply had to do was select the same shipping address and credit card that my friend typically uses for her Amazon orders. After the order was placed, they archived the order so that it wasn’t readily apparent that an order had been placed. The icing on the cake is that it appears that the item was ordered by my friend and shipped to her house.
The last step must have been the easiest, simply logging into UPS My Choice and rerouting the package to Tifton, GA.
So, be careful my friends.
A couple lessons from this experience.
1. Do not open emails which you don’t know who the sender is
2. Do not especially open attachments from those emails
3. Ensure that all your online accounts are double secured using two-factor authentication
4. Check your bank statements every day
5. Sign up for UPS My Choice before the hacker does
6. Clear cookies/history on your browser often
7. Make sure you log off from your email after you have completed sending and receiving emails