James received a message, “What’s this link you sent me??”

James received a reply back from his co-worker telling him that he sent them a drobox link that looked suspicious. The next day another person complained to James telling him he sent them a google doc that is asking to login and they just wanted to clarify what it was. James quickly realized someone got a hold of his company email password and has been sending spam out of his mailbox. He quickly did what he thought was the most appropriate thing to do and changed his password. Another day goes by and James breathes a sigh of relief knowing that whoever had his password was no longer using his email for phishing. Well another day goes by and a different person replies back to James asking him what is this .zip file that he is sending them. Ugh! James is full of frustration, he isn’t sure how in the world someone STILL has access to his mailbox, even though he just changed his password.

Lets try and understand how in the world the hackers are able to keep accessing James email account, even though he changed his passwords several times by now. The answer is pretty simple! Malware in his chrome plugins that steals passwords, credit card numbers, can even take screen shots, and tracks activity of infected machines.

What James fell for is an attack called malvertising a malicious online ad that tricked James into downloading a plugin for his browser with the premise that he needed the updated version of the software in order to open the website.

When James opened the malicious website a pop up came up on his screen telling him his version of “Adobe Flash Player” was out of date.

fake flash player update

Being a responsible human being that James is, he clicked Accept and Add.

What happened at that moment is several forms of malware are typically installed;

  1. Backdoor to gain access to the infected computer, often times this is done through RDP protocol without the end-user knowing. This gives the attacker secret access to the machine without the end user knowing it.
  2. Downloader responsible for downloading additional chrome extensions that steal information directly from the browser as well as keylogger and screenshot taker registering anything a user does on their machine.

What kept happening is every time James updated his password through Office 365, the hackers were instantly notified of his activity, the new password would be sent to them, and a few days later they would launch another phishing attack using his email.

James finally said enough, he knew his computer must have been compromised, he logged onto his machine and did a factory reset on his windows computer. After which point he logged into his email and changed his password. Being paranoid he also reset his phone and tablet.

Although effective, if James knew when he installed the malware he could have reverted his PC to previous date prior to the infection.

This little click Accept button has just cost James days of aggravation and weeks of cleaning up the mess, restoring files, and software on his computer.

The real takeaway is that malware is constantly evolving and finding ways to trick end users. We need to be aware of the threats and ways to protect ourselves.

If your company is facing a security breach with emails or other systems, and you are needing help with putting a stop to it, reach out to AlphaCIS, a Managed Services Provider (MSP) focused on enterprise Cybersecurity for help. Schedule a quick discovery phone call to see how we can help.