TC email account (accounts?) hacked - Don't reply!

I just received three suspicious emails that appeared to come from Dean Dafis but, in fact, were phishing.  (The sending email addresses were definitely not Dean's.)  I messaged Dean on Facebook and he said "Thank you. Yes, we have been compromised, do not open, DELETE."


The town sent out an email on Saturday alerting that the town's email addresses had been hacked.  Hopefully, they are working to resolve the problem.  In the meanwhile, they recommend against replying to or clicking on a link in a suspicious email.  Following up via phone call or Facebook is a good idea.  The town needs to know when these suspicious emails are sent out.   


Update: Spam from Township Email Accounts

Last week malicious files were located on the Township's email system. Spammers were able to use such files to exploit Township emails and address books, including all internal and external contacts, in order to send phishing links. The Township's IT team has been working diligently to address the issue and is able to report that there are no longer any malicious files located on the Township system. However, spammers are now using the same data to send out spoof emails. These emails appear to come from Township email accounts in response to existing message threads. While closer inspection reveals that these emails are being sent from accounts not associated with the Township, the fact that they are being sent in response to legitimate communications makes it challenging for users to identify the phishing attempts before clicking on any links or attachments.

Unfortunately, because both the senders and recipients of this new round of phishing emails are outside of the Township's domain, our IT team is unable to address the issue any further. For this reason, anyone receiving an email that appears to be from Township employees is advised to do the following:

  • Verify that the sender's email address matches the sender's name. If this is not the case, block the sender.
  • Verify that the sender's email address matches the Township's domain (@twp.maplewood.nj.us).
  • Avoid clicking on any links or attachments.
  • If an email from a Township account seems suspicious, contact the sender to confirm its legitimacy.
  • Report all suspicious emails as spam before deleting.
  • If you click on a link or attachment that appears to contain malware, run your personal device's anti-virus software as soon as possible.

Thank you all once again for your patience and understanding as we have worked to address this issue. Please note that, in order to avoid similar situations in future, the Towship has taken the following actions:

  • Removed all malicious links via cloud control/manually from devices.
  • Updated the anti-virus on every Town Hall device
  • Ran a system-wide scan for servers and local machines to find and delete viruses, malware, and spyware
  • Installed TrafficLight (to check legitimacy of site) and UOrigin Block (to block pops and malicious links by trackers) on Township workstations
  • Factory reset workstations with severe malware infections
  • Ran an aggressive scrub on all servers and severely impacted workstations
  • Scanned, disinfected, and quarantined 1000+ threats
  • Updated the Exchange mail server with the latest Microsoft Security Patch
  • Notified Barracuda (email spam filter) of the incident and requested a report on inbound/outbound communication, spam
  • Closed all unidentified ports on the Township Firewall
  • Disabled all old user accounts
  • Created new Group Policies to block auto execute from known software
  • Reset all local passwords and server access
  • Reset all Township user passwords
  • Set all incoming/outgoing email to scan via Bitdefender
  • Connected advance malware protection and IDS/IPS to alert system

Specifically, the IT staff needs to ensure the cloud provider fixes this issue:

https://www.wired.com/story/log4j-flaw-hacking-internet/


I'm surprised there's no mention of a criminal investigation.  Hacking is a crime.  It drives me crazy that some government communications are being posted solely on Facebook.  Serious ethical concerns associated with Facebook aside, I imagine that many residents are unwilling, like me, to share their personal information with that company.  Of course, having shared personal info with the town, I now find my email info is in the possession of unidentified malefactors.  


I'm sure there are agencies that track IP addresses of bad actors, but one hacked computer can be turned into a hacking device to hack  another, and on and on: turtles all the way down.  I'm sure we're spending billions of tax dollars attempting to find the tens of thousands of bad actors, but I'm starting to think going back to postage stamps and letters might be nice.


This log4j problem affects, among many things, Apple iCloud services.  I don't know if it's a coincidence, but Apple just issued updates for macOS and iOS products.


jamie said:

Unfortunately, because both the senders and recipients of this new round of phishing emails are outside of the Township's domain, our IT team is unable to address the issue any further. For this reason, anyone receiving an email that appears to be from Township employees is advised to do the following:

  • Verify that the sender's email address matches the sender's name. If this is not the case, block the sender.
  • Verify that the sender's email address matches the Township's domain (@twp.maplewood.nj.us).
  • Avoid clicking on any links or attachments.
  • If an email from a Township account seems suspicious, contact the sender to confirm its legitimacy.
  • Report all suspicious emails as spam before deleting.
  • If you click on a link or attachment that appears to contain malware, run your personal device's anti-virus software as soon as possible.

Spoofing a sender's email address is easy. So, you can ostensibly get an email from "@twp.maplewood.nj.us" originating from "@poopoo.scam". A spoofed email should show its spoofed or not be accepted or automatically sent to the spam folder.

I spoofed an email to my wife by creating an identity for her bank in Thunderbird. The email provider I used to send it didn't check and delivered it. Her email provider accepted it as is. The result is she thought she received an email from her bank. No warning.

Email is complicated. The whole internet has to know how to route your message requiring that the routing info be available to all. Domains using email need control records for ownership, routing and validation. They are the MX, SPF, DKIM and DMARC. Some are required, some are not. If you don't set up your DKIM and DMARC correctly you lose validation. Its also incumbent on email hosts to check your email against those records. Missing records or incomplete checking is what allows spoofed email.

That is why its smart to set up your own email domain. Then you determine what control records you have and the degree of validation you want. You then use an email provider that actually looks at these records when your mail is sent and received.

After that, wife set up her own domain and is now using a "reliable" host. We then tested by sending another spoofed email. It showed in her inbox highlight labeled that the mail failed domain verification. We could also have set it up to automatically route to her spam folder. There are a lot of options.

Sometimes domain verification failure is OK. That happens with mailing lists where the mailer of the list is a different domain from the address of who they are mailing for. For example, store "A" will send you an email with the address "sale@A.com" but the mail originated from "mailings@mailinglist.com".

Another advantage of your own domain is you can set up a unique address for your finance, bank, broker, credit cards and tax authorities. I've done that for years and found they have never given the address out to external organizations. That is, over the years, the only mail, I received to my finance email is from those organizations. Its like setting up your own firewall between finance and others like shopping or forums.   


RTrent

Thanks for your comprehensive explanation, however I'm just an ordinary guy and it is all gobbledygook to me.  It doesn't help.


mrmaplewood said:

RTrent

Thanks for your comprehensive explanation, however I'm just an ordinary guy and it is all gobbledygook to me.  It doesn't help.

You don't have to know the technical stuff of protecting yourself. Just use a reliable email provider and your own domain. I use Google domains to get my domain and Proton mail to host my mail. I would never use Gmail.

The thing is you can get ProtonMail for free, one address. If you want to use multiple addresses then you need to pay. I believe the two year discount for ProtonMail Plus price is $79 but you also have to pay Google or whoever you pick as your domain provider which is about $12 a year. We're talking about $50 to $55 a year.

Without knowing the tech stuff you can get it going because ProtonMail and other providers help you with setup info and support.

I picked ProtonMail because its encrypted. It enables me to send confidential stuff, like legal and financial, directly to another ProtonMail account user or to anyone else with a separate password.

It does help to know the technical aspects even if ProtonMail and some others explain it. For example, you can set your domain's control record to ignore, quarantine or reject invalid (spoofed) mail. You decide the level of control. There is ignore, which my wife has set, means deliver it normally. But ProtonMail will add a highlight that it failed authentication. Quarantine (depends on your email host) means send it to your SPAM folder. Reject - don't even deliver it, which may be an issue with some mailing list messages that are really valid.

Many people are resistant to paying for professional email services. Why should I pay for it when I can get Gmail for free? While willing to pay for identity theft services. But you need to be proactive. Like vaccinations, you try to prevent. I don't see how an identity theft service can prevent. They look for issues and by the time an issue is found its too late. The horses already left the barn. If your identity is completely stolen then good luck in remediating the damage. It can take years.

Besides protecting your email you should also security freeze your credit reports. Don't think your DOB or social security number, which some companies use to validate you, will protect you. They're easily found. The real scams besides phone scams now are malicious emails, tricking you into opening a link or getting you to log into your "financial" provider.

https://en.wikipedia.org/wiki/DMARC

ps - follow up. Here's how my account highlights an email that failed authentication -  


The information about setting up a domain is interesting and useful.  Thanks, RTrent.  I just called about five numbers over at Town Hall, including a couple at the Police Dept., and couldn't get through to one human being.  It would be helpful to have a conversation with someone over there about the hack.  


How would they validate you on a phone call?  You could be a hacker!   blank stare


Of course!  That's why they never answer the phone.  


They would likely refer you to their e-mail about the situation as posted above:  "because both the senders and recipients of this new round of phishing emails are outside of the Township's domain, our IT team is unable to address the issue any further."

In other words no physical computers owned by the township are involved, so there's nothing "to do" except alert people to be suspicious of e-mails that appear to come from the town's address.


I read that, and I wondered whether the situation will be referred to, say, the FBI's Cyber Crime division.  An epidemic of hack attacks on NJ townships has been circulating for years.  Seems like more sophisticated cyber crime experts need to be called in.  https://www.nj.com/crime/2019/11/nj-towns-increasingly-face-threats-of-hefty-ransom-demands-from-dark-web-hackers.html


dave said:

They would likely refer you to their e-mail about the situation as posted above:  "because both the senders and recipients of this new round of phishing emails are outside of the Township's domain, our IT team is unable to address the issue any further."

In other words no physical computers owned by the township are involved, so there's nothing "to do" except alert people to be suspicious of e-mails that appear to come from the town's address.

Note that the actual email addresses of the senders of the emails I received were not town addresses.  They just had the name "Dean Dafis" accompanying them. We all need to be vigilant about this sort of thing.  (I get a lot of emails supposedly from PayPal with crazy non-PayPal addresses, for example.)  Of course, there are also ways to spoof the address as well.  Basically, I try to remember not to click any links or open any attachments on emails unless I am absolutely sure about the sender and legitimacy.


Elle_Cee said:

I read that, and I wondered whether the situation will be referred to, say, the FBI's Cyber Crime division.  An epidemic of hack attacks on NJ townships has been circulating for years.  Seems like more sophisticated cyber crime experts need to be called in.  https://www.nj.com/crime/2019/11/nj-towns-increasingly-face-threats-of-hefty-ransom-demands-from-dark-web-hackers.html

Except that's not this situation. It's more likely that someone clicked on a link they shouldn't have, and their email was swept for addresses and messages to reply to, and then it spread through to other users via the same method.


sac said:

dave said:

They would likely refer you to their e-mail about the situation as posted above:  "because both the senders and recipients of this new round of phishing emails are outside of the Township's domain, our IT team is unable to address the issue any further."

In other words no physical computers owned by the township are involved, so there's nothing "to do" except alert people to be suspicious of e-mails that appear to come from the town's address.

Note that the actual email addresses of the senders of the emails I received were not town addresses.  They just had the name "Dean Dafis" accompanying them. We all need to be vigilant about this sort of thing.  (I get a lot of emails supposedly from PayPal with crazy non-PayPal addresses, for example.)  Of course, there are also ways to spoof the address as well.  Basically, I try to remember not to click any links or open any attachments on emails unless I am absolutely sure about the sender and legitimacy.

The emails I received were from a Town Hall employee whom I had corresponded with previously. It had their name and bogus email addresses. However, our previous email correspondence was part of the phishing emails.


yahooyahoo said:

The emails I received were from a Town Hall employee whom I had corresponded with previously. It had their name and bogus email addresses. However, our previous email correspondence was part of the phishing emails.

Same with me (one from the Township Clerk, one from a TC member). But they weren't actually from their email addresses. That's why I think the "hack" was to scoop up emails and then use the information in them to send the phishing emails.


I received the warning too late.  I didn't click on the link -- too savvy for that -- but because the email ostensibly came from the town, I didn't check the underlying email address that it came from.  So I replied to the town council member I thought the email came from, asking what the link was about.  When a 2nd phishing attempt arrived, I saw where it was coming from (a different address from the first).  The first email address isn't even a real website -- I checked it on WHOIS.  This may not be a heavy duty, ransomware-type hack, but it's a hack nonetheless, and a lot can be done with email addresses.  The hackers used an old email I had sent to the town to harvest my address as well.  


yahooyahoo said:

sac said:

dave said:

They would likely refer you to their e-mail about the situation as posted above:  "because both the senders and recipients of this new round of phishing emails are outside of the Township's domain, our IT team is unable to address the issue any further."

In other words no physical computers owned by the township are involved, so there's nothing "to do" except alert people to be suspicious of e-mails that appear to come from the town's address.

Note that the actual email addresses of the senders of the emails I received were not town addresses.  They just had the name "Dean Dafis" accompanying them. We all need to be vigilant about this sort of thing.  (I get a lot of emails supposedly from PayPal with crazy non-PayPal addresses, for example.)  Of course, there are also ways to spoof the address as well.  Basically, I try to remember not to click any links or open any attachments on emails unless I am absolutely sure about the sender and legitimacy.

The emails I received were from a Town Hall employee whom I had corresponded with previously. It had their name and bogus email addresses. However, our previous email correspondence was part of the phishing emails.

Yes, mine were like that also.



In order to add a comment – you must Join this community – Click here to do so.