Phishing emails claiming to contain statements from local officials have targeted various institutions in Poplar Bluff. City Manager Matt Winters said Police Chief Mike McClain’s email was compromised by the attack.
He noted this was the extent of the infiltration of the city’s computers at this time. The city is working with James Ramsey of Todays Computers to stem the threat.
Ramsey explained the attacks are coming from a range of internet protocol addresses in North Carolina. However, the company that manages these addresses is headquartered in Romania.
Ramsey suspects the use of a virtual private network to give foreign hackers the ability to bypass common security features. The hackers will log into the VPN and use a domestic address to circumvent a ban on emails with attachments originating from outside the U.S.
At this point, the attackers can conduct an Adversary in the Middle Attack with fake attachments leading to a login screen.
“These people are very good at making a fraudulent email look legitimate,” he cautioned.
Once users enter their information, Ramsey warned the hackers can gain access to the Multi-Factor Authentication token and insert their own.
While Microsoft Outlook security features have formerly been capable of defending against phishing attacks through MFA tokens, the hacker who invented the AiTM method is selling tips online to other cyber criminals on how to exploit its vulnerabilities.
“Most of these hackers are out there to wreak havoc,” Ramsey remarked.
He said the individuals are not necessarily after specific information but want bragging rights over how many accounts they can compromise. Once the attacker gains access to the account, thousands of emails will spread the attack to everyone the user has emailed in the past.
Ramsey said one affected customer’s account sent 2,600 emails in a matter of minutes. If those receiving the message fall for the email as well, the problem multiplies.
“It’s a snowball effect,” Ramsey commented.
Adding another level of sophistication, the attacker will create a new email rule sending replies to the compromised message to a hidden folder. The affected Microsoft accounts need to have all passwords and security features reset to regain ownership of the account and remove the hacker’s access.
For the city’s computer systems, he initiated a range ban on the questionable North Carolina IP addresses, though this will only stop this particular group of virtual machines. Ramsey emphasized the best defense is awareness.
“It’s all about cyber security awareness training,” he added.
Ramsey implored users to be cautious when receiving an unexpected attachment, even from a known address.
“You have to be sure,” he said, “If there is any doubt, call.”
Ramsey also advised users to set up multi-factor authentication if they have not done so already. While this round of attacks focused on Microsoft accounts, he recommended that all users remain vigilant.