Cybersecurity Blog | Ingalls Information Security

The Phishing Adventures of Huck Phinn, Reeling In the Damage

Written by Cyrus Robinson | Apr 22, 2021 4:00:00 AM
Chapter 5

In the previous chapter, we left Huck with no idea he had given a phishing scammer access to his employee network credentials. But beneath the calm surface of the normal work routine, the attacker was taking full advantage of his undetected presence to do the following:

Our “How to Spot a Phish” checklist can help you identify phishing emails and provides advice on what to do with them.
  • The attacker logged into Huck's St. Petersburg Wildlife Foundation Office 365 email account from a web browser and created an IMAP connection to Huck's email account. 
  • The attacker then created a mailbox rule to move all incoming messages and sent messages to the "archive folder" and then sent a similar message used to target Huck to every single contact and distribution list in Huck's email address book.  
  • Several of Huck's contacts responded to the email asking if it was legitimate, and any replies to these messages would be unseen by Huck because the mailbox rule caused the messages to bypass the Inbox and to go directly to the Archive folder instead. 
  • The attacker(s) monitored incoming emails and went so far as to respond to them assuring the next potential victim that they had nothing to worry about and that the email was legitimate. 
  • The attacker then deleted all sent emails, all emails in the Archive folder, and all emails in the deleted folder. 
  • The IMAP connection allowed the emails being deleted on the attacker's side to also be deleted from the St. Petersburg Wildlife Foundation servers.


Eventually, disturbing signs bubbled to the surface. While the exact number of Huck's contacts who fell victim to the phishing campaign is unknown, several of his contacts (including other St. Petersburg Wildlife Foundation employees) were also successfully hooked. The company received notification that users' email credentials had been discovered in a data breach (possibly having been sold in dark web forums). And, some employee user accounts were being actively targeted by repeated failed logon attempts, presumably after obtaining or purchasing credentials harvested in the phishing campaign. The company declared an incident. 

Ingalls Incident Response Team helped assess the extent of the breach, contain the incident, communicate to stakeholders and executives effectively and in plain language, and increase security awareness offerings to their employees. In addition to a global password reset and implementing multi-factor authentication (MFA) for all Office 365 accounts, the Ingalls Incident Response Team reviewed all Compliance and Security and Cloud App Security alerts, and assisted the St. Petersburg Wildlife Foundation with additional improvements to their cybersecurity posture. Improvements included recommendations on securing their web servers, securing employee remote access, and developing a Comply-to-Connect policy.


Getting through an incident doesn’t mean you’re off the hook. 

The St. Petersburg Wildlife Foundation* (remember, names have been changed) was happy to have found a cybersecurity partner that helped make it less scary and more practical. To improve the peace of mind they had begun to develop as a result of successfully navigating the incident, the company decided to invest in Ingalls Managed Detection and Response (MDR) services. The tools our team deployed for the investigation continue to protect their environment with active monitoring, actionable alerting, and response-at-the-ready in the event of any future threats they might encounter.


Cybersecurity does not have to be scary.

Reach out to Ingalls for help getting some peace of mind with practical solutions tailored to your business needs. As a bespoke firm in a crowded industry of big names, we have a reputation for personalized service, focused on your best interests — and as Mark Twain said, “It's not the size of the dog in the fight, it's the size of the fight in the dog.”

Let us fight for you. Follow us on LinkedIn for industry insights, practical security tips for everyday life, and to get connected with our team.


About Ingalls

Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have. 

 

About the Author
Cyrus Robinson, CISSP, MCSE, MCITP, CEH, CHFI, Sec+
Mr. Robinson is a skilled Information Security professional with experience working with diversified technologies and environments. Mr. Robinson’s professional IT career began as an electronic forensics engineer as an active duty Airman with primary responsibilities with testing and evaluating digital forensic software, policies, and procedures. In this capacity, he worked alongside federal investigators and various DoD, CIA, FBI, NSA, and NIST employees. Following his active duty role with the USAF, Mr. Robinson went on to work in change management and system administration as a DoD Contractor. Mr. Robinson also has extensive experience in the roles of Information Security Officer and IT Director for a large medical group which contribute to his knowledge with security risk assessments, HIPAA compliance, and drafting and implementing corporate IT security and business continuity policies. Mr. Robinson holds various industry standard certifications and a Masters of Science in Information Security and Assurance.
View full post