Nigeria is Known for their Phishing Emails. Gmail Users Beware!

If you have a Gmail account, please be aware there are gangs of predators based out of Nigeria are working full force in hijacking your account. These hijacks or scams are also known as the Nigerian scams, or "419" scams. It is a type of fraud and one of the most common types of confidence trick. Once your account is hijacked, these hijackers will begin to find out more information regarding you and will attempt to login to multiple websites that you have joined, such as your online back account.

The plan for these hijackers is to steal as much information from you as possible, without trying to leave a trail of what they're doing. Once your Gmail account is compromised, these hijackers will make a few changes to your Gmail account, such as setting up filters. Filters is one feature within Gmail that certain tasks can be created to make certain actions, such as telling Gmail to move emails coming from @suntrust.com to skip the inbox and go straight into a folder labeled, "Suntrust."

I had recently come across these Gmail hijackers who had gained access to a person's Gmail account. No emails were left in the inbox and no new emails were coming through. Of course, the first priority is to change the password to the Gmail account, to a more secure password (Example... L!m3Br@v0). My next step was to review the activities of the account and take notes of all available information that is available. Another step is to check to make sure no forward email accounts are setup and no where for the hijackers to gain the newly changed password. Now once I had established that the Gmail account's password had been changed and the Gmail account is secured enough, the next step is to go disable any filters that was put into play on the account.

In this recent case, these hijackers had setup certain filters on the account. There were four in total. For any emails coming from @jpmorgan.com, skip the inbox and immediately delete the emails. This included the other four filters which were set the same way, but instead, was using @suntrust.com, @peress.net, and the full email account (for sending all new emails coming in to the trash bin). So, I had immediately deleted all filters. Afterwards I went into the trash and restored all legit emails that were deleted by the filters.

Now, how did this all get started? By phishing emails. Here is an email of one of these phishing emails and what a phishing email looks like:

Everything looks legit, until you start clicking on links within the email that you don't look at before clicking. If you hover over the links, it will display exactly where the link will take you. In this case, the login link takes you to a phishing website to steal your information and hijack your email account. For an example, www.fixmyownroom.com/wheezing/index.html would be a phishing website that will start downloading phishing information onto your workstation.

The best medicine to this is to be very careful with any emails that you receive. Review carefully who the sender is and where the email is coming from. The email may state that it is coming from American Express, but a legit email wouldn't state that it is coming from americanexpress1.org.

To pull all of this, what we know now together, we will then want to run full scans on the workstation to find and eliminate any traces of viruses, spyware, and malware. This also includes any found phishing emails left on your workstation. Once it is clear that the workstation is clear of infections, we will want to do another secure password change as a secondary measure of security.

Here are a few tips to keep in mind during a Gmail account hijack:

  • Secure your password.
  • Update your account recovery options.
  • Check your account for unusual activity.
  • Check your Gmail settings. Keep your device clean.
  • Update your browser.
  • Turn on 2-Step Verification.
  • Prevent identity theft and invoice scams.

The best solution is to move towards a more secure and solid email service, such as Microsoft Exchange. Keep important data in one place with Exchange archiving, large mailboxes, and retention policies, eliminate email threats before they reach your network, protect your sensitive data and inform users of internal compliance policies, and so much more.

If you run a business, you will also want to invest in security equipment, such as a Sonicwall, along with additional services and equipment.

We are currently in a world that revolves strongly around social media. This social media includes websites such as Facebook and Google Plus. Most websites will pressure you into linking all of your accounts into one. When you sign up for a website, it will most likely have a button to sign up using your Facebook account. Think about it, someone hijacks your primary Gmail account, the hijacker is able to learn so much personal information regarding you, by looking at all of your linked accounts linking to your primary Gmail account. This is one way that will make it easy to guess your security passcodes.

We at Hilltop Consultants are here to help make sure your business and network is as secured as possible. I recommend that you reach out to us if you have any questions, have gotten yourself hijacked, or think that your current solution is not good enough. Don't be the person that gave all your money to Nigeria and all you got was a lousy t-shirt.

Be sure to subscribe and keep checking back on our blog for more entries on very useful information to help you aware of the latest IT-related attacks.