|
|
|
|
#1
01-13-2021, 10:38 AM
|
||||
|
||||
|
OT: Security issue -- something weird/bad happened
One of the hats I wear at my company is to handle the IT stuff. This isn't my primary responsibility, but we are small enough that we don't have a full-time person for IT.
Starting late last night, someone (or some entity) is using one of our company's email addresses to signup for 100's, maybe more than a 1K now, of random websites. This particular email account is not one that is used often, but it is the administration account for managing our Google account. In the midst of all of this, someone changed my Network Solutions password, and this was an extremely secure one. I confirmed it had been changed, and called immediately to reset this password. I've been searching online to try and figure out what they are trying to accomplish, but I just can't figure it out. There is nothing I can do to stop them from using the email address to create accounts, other than rename this email address -- which would be a hassle. The new account creations continue to come in at more than a minute. Has anyone had this problem before? What should I be concerned about? 
|
|
#4
01-13-2021, 10:49 AM
|
|||
|
|||
|
Don't wait...
You need to get to the leader of the business immediately.
What you are describing is a possible business-disabling hack. If you don't have internal skills, hire outside help. If *secure* passwords are being misused, you likely have lost control over your environment and your customer and employee data is compromised, including payroll, bank and other mission critical information. Time is your enemy...
__________________
On the bike > not on the bike
|
|
#5
01-13-2021, 10:49 AM
|
||||
|
||||
|
Quote:
 SMBs are being particularly targeted now due to lower levels of security hardening compared to larger entities and also depending on what clients they may serve (3rd Party compromise - see recent Solarwinds hack for a significant example). Texbike Last edited by texbike; 01-13-2021 at 10:57 AM.
|
|
#6
01-13-2021, 10:57 AM
|
|||
|
|||
|
as texbike said, already having gained access to the network account, and changed credentials is concerning. Getting a 3rd party assessment may be helpful, as well as going line by line for any possible adjustments to your configuration, which could allow them to re-enter or maintain persistent access.
While the intent of what they want to do with it may be unknown, the mapping and indexing of what your firm has informs any further actions they may take.
|
|
#7
01-13-2021, 10:58 AM
|
|||
|
|||
|
Email
We had this happen to our personal email years ago. Getting emails every second. Turns out it was a decoy. The real action was someone had taken over our air bnb account and was booking rentals in Russia at a furious pace. They had all info re our Airbnb account changed including email and phone. We only figured it out because a message came to the Airbnb app on my wife’s phone.
After several years we still get large amounts of junk and spam email on that account. We are going to have to give it up and use new email account. Just saying to look other places as to how you could be compromised and being stolen from. Jon
|
|
#8
01-13-2021, 11:04 AM
|
||||
|
||||
|
For ANYONE reading this thread - on ANY sensitive account that you have - email (it can be much more sensitive than you probably realize), banking/financial services accounts, health record platforms, social media, etc - activate MFA/2FA IMMEDIATELY on your accounts if you haven't already done so. It will reduce the risk to your accounts being compromised by a substantial amount. It is the single, simplest, most effective thing that you can do to protect your accounts from compromise. It's not perfect, but it makes things difficult enough that an attacker will most likely be motivated to move on to an easier target. A good example to read about is what recently happened to a set of Robinhood customers that didn't have MFA employed on their accounts. Those that had MFA weren't impacted.
https://www.bloomberg.com/news/artic...2-000-accounts Texbike Last edited by texbike; 01-13-2021 at 11:12 AM. Reason: add link to Robinhood story
|
|
#9
01-13-2021, 11:35 AM
|
||||
|
||||
|
Thanks for the quick and helpful replies. I did confirm with Network Solutions that there weren't any changes made to our domain or account settings.
|
|
#10
01-13-2021, 11:56 AM
|
||||
|
||||
|
Good luck Keith, I know you have been busy with work and this is surely not what you need now.
Coincidentally, I work for a Fortune 100 company and we just got an email from the cybersecurity department indicating they are seeing a major uptick in cyber threats in recent days and to remain vigilant, so this may not be an isolated event.
__________________
http://less-than-epic.blogspot.com/
|
|
#11
01-13-2021, 12:00 PM
|
||||
|
||||
|
Quote:
I'm not familiar with the primary cybersecurity providers in your specific area, but assessments can be conducted by a number of different companies. Guidepoint has a strong presence on the East Coast as does Optiv. There may be less expensive options available as well depending on who is in your area. Good luck with it! Texbike
|
|
#12
01-13-2021, 12:00 PM
|
||||
|
||||
|
Quote:
-KP
|
|
#13
01-13-2021, 12:21 PM
|
||||
|
||||
|
Just found this interesting article...
https://www.imperva.com/blog/amazon-...istration-bots
|
|
#14
01-13-2021, 12:23 PM
|
|||
|
|||
|
Quote:
|
|
#15
01-13-2021, 12:30 PM
|
||||
|
||||
|
I work in IT security, PM if needed. First thing, enable 2FA ASAP, for ALL accounts within GSuite if possible. Secondly, require all users to change passwords, and ensure that those aren't passwords used anywhere else.
You might also need to pull logs and look at what happened, maybe a lot, maybe very little. Won't know without looking. For those reading, enable 2FA on every account you can and do not re-use passwords. Authy is free, and an excellent tool for this: https://authy.com/guides/googleandgmail/ -Ari
|
 |
|
|
Linear Mode
