HomePhabricator
Phishing Attempt Intercepted
04 November 2020

What Happened?

We have just intercepted a phishing attempt against MousePaw Media, thanks to @wdede's eagle eyes!

Yesterday at 15:30 UTC, @wdede received the following email seemingly from @jcmcdonald's company email address:

Subject: Reply me ASAP Wilfrantz

I need your cell phone number for an urgent task.

Thanks

Jason C. McDonald
CEO, Lead Developer
MousePaw Media

@wdede did the right thing: he did not reply, but instead called the company number to alert us, as well as forwarding the suspicious email to ECO.

Upon further investigation, we found a similar email had been sent to @mahussain one minute earlier at 15:29. Both emails were sent from a Gmail address, which was exposed in the email headers (email source code).

No other such emails have been found at this time. We have no reason to suspect a data breach.

The incident has been reported to the FBI Internet Crime Complaint Center (https://www.ic3.gov/), as well as to Google, for further investigation.

Why Did This Happen?

This is known as a phishing attempt, a relatively sophisticated cyberattack where an attacker uses email or other means to try and get personal or confidential information. Phishing attempts against companies are not rare, although this is only the second such attempt in our company's history.

This phishing attack was merely looking for phone numbers, at least as a first step, although the plan may have been to get further information via texting.

How To Spot a Phishing Attack

  1. If something looks odd, be suspicious! Ask questions. This is one of the reasons we have multiple points of contact at MousePaw Media. If an email claims to be from someone, but something seems off, it's smart to contact them via phone, Phabricator, or Skype to verify.
  1. Never reply to an email with personal or confidential information over email. Email is a reasonably secure communication medium by itself, but if you need to send sensitive data to someone else, it's often best to create a new message and enter the correct email address yourself. Be EXTRA cautious if they're requesting said information, as data breaches can also happen; confirm with them via another means first.
  1. MousePaw Media will never ask you to send passwords, email addresses, phone numbers, or any other personal or confidential information in an email. We have all that data stored securely, even your company password (which is secured behind industry-grade encryption). What's further, we have ways of resetting credentials if necessary.
  1. The quarterly Information Update is the only time we'll ask for personal information at all, and we always announce it. This uses the Information Update form, and you are encouraged to either upload that to Nextcloud or send it in a new email (instead of a reply) to ECO.

Checking Email Headers

The "From" field on an email can be faked, even to where it shows an email address that wasn't used. But one of the advantages of being a tech company is that most of our staff is technically inclined. You can investigate the legitimacy of an email yourself by viewing the email headers, sometimes also called the email source code.

Here's the headers of a REAL message from @jcmcdonald:

From jcmcdonald@mousepawmedia.com Wed Nov  4 06:40:43 2020
Return-Path: <jcmcdonald@mousepawmedia.com>
Delivered-To: hawksnest@mousepawmedia.com
Received: from mousepawmedia.com
	by ubuntu.members.linode.com (Dovecot) with LMTP id jG6PC2u9ol86KAAA+6EOPQ
	for <hawksnest@mousepawmedia.com>; Wed, 04 Nov 2020 06:40:43 -0800
Received: from localhost (localhost [127.0.0.1])
	by mousepawmedia.com (Postfix) with ESMTP id 290CF202B0
	for <hawksnest@mousepawmedia.com>; Wed,  4 Nov 2020 06:40:43 -0800 (PST)
X-Spam-Flag: NO
X-Spam-Score: -0.193
X-Spam-Level: 
X-Spam-Status: No, score=-0.193 tagged_above=-999 required=5
	tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.626,
	HK_RANDOM_FROM=0.379, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001]
	autolearn=no autolearn_force=no
Authentication-Results: delavega.mousepawgames.net (amavisd-new);
	dkim=pass (2048-bit key) header.d=mousepawmedia.com
Received: from mousepawmedia.com ([127.0.0.1]) by localhost
 (delavega.mousepawgames.net [127.0.0.1]) (amavisd-new, port 10024) with
 ESMTP id F56vQ-uRshdO for <hawksnest@mousepawmedia.com>; Wed,  4 Nov 2020
 06:40:41 -0800 (PST)
Received: from [192.168.1.42] (cpe-98-146-160-208.natnow.res.rr.com
 [98.146.160.208]) by mousepawmedia.com (Postfix) with ESMTPSA id 8F5311F721
 for <hawksnest@mousepawmedia.com>; Wed,  4 Nov 2020 06:40:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mousepawmedia.com;
	s=201809; t=1604500841;
	bh=jpdJgsbDLGenWoZD9/BThi1LO85M7dwVOY7wdDrQ3pI=;
	h=Subject:From:To:Date:From;
	b=sSflVL4+q1hRo9189ddogHZ96/2IQgBBLJt3nusSDJY7UyRIhQePe54QGs4HKWZA6
	 kY8RMdkARStA3cxRukt/86PUYtqVL/byY1jv7lGOXuYnUsEdA4DLz6HwHYn5PZbBnd
	 BJbk2RHJHJ0Lgu2mDf9qLdCF14AMA3WYytFsLwALk8kMDZZebZKyO0euYZPwkDTv0w
	 jdap1RMqixhLI/3EIHK4l5DrkXcVdNA5Nak+SJp5TCxlQztXshrTu0pK9+HMBJpcck
	 Ak8pffVv9D5I1yvxOXGln28p+L8Cl9kzT5peT5+zlkDsHNcMKG9/mhcVWQdoD6zZhq
	 p9hwmBvtdp6ig==
Message-ID: <b60aa6db4141400fcf8acc35abadb4dd8317351f.camel@mousepawmedia.com>
Subject: This Is A Real Email
From: "Jason C. McDonald" <jcmcdonald@mousepawmedia.com>
To: hawksnest <hawksnest@mousepawmedia.com>
Date: Wed, 04 Nov 2020 06:40:34 -0800
Organization: MousePaw Media
Content-Type: multipart/signed; micalg="pgp-sha256";
	protocol="application/pgp-signature"; boundary="=-F5ZhqkDwOC9kIXIEbYgy"

Notice the following fields especially:

Return-Path: <jcmcdonald@mousepawmedia.com>

This is where your replies will be sent to. It should usually match the sender, especially for company emails.

Authentication-Results: delavega.mousepawgames.net
dkim=pass (2048-bit key) header.d=mousepawmedia.com

The first line just says we're receiving the email on delavega.mousepawgames.net, which is fine. (We control mousepawmedia.com, mousepawgames.com, and mousepawgames.net, all on the email/website server, as well as mousepawmedia.net for DevNet.)

The dkim= field is the most important here: it helps with authentication by showing that the email is coming from mousepawmedia.com.

Received: from mousepawmedia.com ([127.0.0.1]) by localhost

This means the email itself was sent via an SMTP connection to mousepawmedia.com.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mousepawmedia.com;

All our emails are signed with DKIM, to help prevent spoofing. You can see this is coming from mousepawmedia.com here.

If any of this is wrong, it's coming from another email server.

What's Next?

Keep an eye on your email over the next few days. If you receive any suspicious messages, contact @jcmcdonald right away via phone or, if necessary, email. Do not reply to or delete the suspicious message. We'll need it to file a report.

Stay safe!

Written by jcmcdonald on Nov 4 2020, 7:04 AM.
CEO, Lead Developer
Projects
None
Subscribers
jcmcdonald, ajmcdonald, memateo and 3 others

Event Timeline