March 9, 2018
Hacked accounts are a big problem for all organizations. Here at the University of Guelph, the Information Security team deals with hundreds of compromised accounts every year. Accounts are typically exposed through phishing email or bad password habits - the use of weak passwords, sharing passwords, or reusing passwords with other online services. Compromised accounts represent a very serious security risk and can be quite disruptive for the campus community, the owner of the hacked account, and for external organizations since these accounts are often used to spread more phishing campaigns and malware to others.
In a recent incident here at the University of Guelph, an email message was sent to a large number of campus mailboxes which appeared to be from President Vaccarino. This message actually came from a series of compromised accounts at another Canadian University. The message was successful in tricking some users into providing their U of G account credentials. In less than 24 hours, those compromised accounts where then used to send a similar phishing messages to another Canadian University, and were also used to send phishing messages claiming to be from a Canadian Bank looking for account information. (More information on this incident can be found in our blog post here [1])
Telltale Signs Your Account Has Been Hacked
Attackers typically follow the same patterns, use the same tricks, will attempt to cover their tracks, destroy evidence of their presence, and evade detection for as long as possible. Here are some of the things to look for if you suspect that your account has been compromised.
- Email forwarding is enabled - Once an email account is compromised, one of the most common things the attacker will do is to forward all mail to another email address controlled by the attacker. This helps ensure that they can impersonate you and keep you from seeing the malicious things they are doing for a long period of time.
- Suspicious sign-in alerts - Many online services provide alerts when your account is accessed from a new device or browser. If you see any notices that aren't related to your own activity, report it immediately.
- Messages marked as Read that you didn't read - This is a good indication that someone else is accessing your mailbox.
- Sent items you didn't send- Another clear sign that another person is accessing your mailbox.
- Delivery failure messages - Typically compromised accounts will be used to send out more phishing email. As a result you may find delivery failure messages or other automated replies in your Inbox.
Protect Yourself
- Know how to recognize a phishing message and react accordingly - This is probably one of the most important skills that everyone should have. If you are not sure how to spot a phishing message, check out this blog post [2] to brush up on your skills.
- Use strong passwords - Using strong passwords will help protect your accounts from brute force attacks. Need help choosing a strong password? Check out this blog post [3].
- Use unique passwords - Use a unique password for each of your online accounts. That way if one account gets compromised it doesn't impact your entire online life.
- Never share your account information - Your bank and the University will never ask you for your password, so don't give it out to anyone!
- Use multi-factor authentication for all services that offer it - Google, Facebook, Instagram, Twitter, Apple, Microsoft, LinkedIn, Snapchat, PayPal, and many other popular online services offer two-step or multi-factor authentication. Using this security functionality will greatly reduce the risk of your account being hijacked. Need more information on how to set this up? Check out our blog post [4]!
The Information Security team has a number of detection mechanisms constantly scanning for compromised accounts. If you suspect there is an issue with your account, please contact the CCS Help Centre (519-824-4120 x. 58888). The Help Centre staff will be happy to work with you to verify the integrity of your account or answer any questions you might have.
Written by: Stephen Willem (Manager, CCS Information Security)