What is an Advisory Retainer? An Advisory Retainer is a type of 'pay for access' consulting...
What to do when your business email is hacked
Real life impact of an Email Hack on your business.
Weird emails from clients… Tons of ‘Undeliverable’ messages… Server overload… Blacklists.
Your email domain was compromised and digging out of this hole is a long road indeed. But what impact does it have on the many levels of your organization? And more importantly, how do you fix it?! In this article, we detail a recent email breach and the recovery efforts taken to dig out of this relentless attack.
How does email get hacked?
While there are sophisticated, targeted attacks in the wild- Email is typically compromised from networks and systems that are unpatched, not protected properly, and have weak password policies. Even if you have an 8 character password, that contains a capital letter and special character- it would take just minutes for a brute force attack to crack your password… on a 2007 computer… running at 50% processor load. Today, just seconds. While password policies can be Ridiculously annoying, simply put, you’re just not doing good enough at it and it is costing you.
The value for hacked emails accounts can certainly be notable for hackers. What they look for essentially are emails that relate to financial transactions, such as messages from solicitors on conveyancing or mails relating to financial investments. They then impersonate the legitimate owner of the email account with the ultimate aim of stealing money and typically will set up a bank account in the victim’s name and attempt to divert funds to this account.
How do you know your email has been hacked?
Like a medical mystery- It could be any, none or a combination of symptoms!
- Most obvious sign- you’re on a blacklist!
- Your password doesn’t work
- You’re receiving unexpected messages from contacts relating to money
- Your domain or IP is listed on any of over a hundred industry blacklists
- Contacts are receiving Spam or no messages at all from you
- You’re receiving error messages from legitimate emails you’re sending to contacts
- Many bounced email messages
It’s typically obvious when email servers go south, but there are steps you can take to recover from an email hack.
Help me! What do I do when my email has been hacked?!
Good news!!! There are people in the world that not just remediate email hacks, but they can keep them from happening again! This is especially important because ending up on a SPAM blacklist comes with consequences. Even when you take the proper steps to delist your domain, there are still minimum wait times. These minimums increase if you get blacklisted again! So let’s get this right the first time!
As GI Joe taught us- “Knowing is half the battle”. In our real-world scenario, despite the signs of compromise, the domain was never listed on a blacklist. But in the following days, more and more undeliverable messages were returned, and more and more dollars were lost in the name of productivity. CEO, VP, Office admin, Sales, you name it. Every employee is affected by an email hack- the cost in productivity loss alone is measured in the thousands for even a small office! We eventually discovered the office IP address on 4 different blacklists, as well as an email connector issue that took the Office 365 engineers at App River to resolve.
While some blacklists allow you to delist yourself, most require manual removal. But before you make a request for delisting, make sure you follow these Very important steps!
- Contact a professional who is comfortable enough to help your business fight its way out of this hostile environment. If you don’t have experience resolving an email hack, don’t try to google your way out of it! Hire a pro. Yeah, you…reading this… call us. (888) 838-0101
- We will start by getting a baseline of your current IT environment to analyze the breadth of the attack, then come up with an action plan for remediation. In our case study, the ISP (Comcast) didn’t have any logging, let alone spam and DNS filtering. While their Office 365 offering isn’t as watered down as GoDaddy’s, it still left a lot to be desired for an administrator.
- Search your domain on mxtoolbox, and What is my IP for domain and IP blacklists. In our sample client, the domain itself didn’t end up on ANY domain blacklists from mxtoolbox. But after further problems and persistent bounce messages, it was determined that the IP address for the office was the blacklisted article. Use all IPs from workstations, servers, (static IPs from copiers and NVRs), as well as remote devices like laptops and cell phones), to search for blacklist entries. This is a pain in the neck and time consuming but is a vital part of covering all your bases.
- Once you know the breadth of the problem, you can begin getting your domain or IP removed from the various blacklists, in our case, SORBS, Barracuda, RATS dyna and DNSBL.
Besides just asking, most blacklists want to know that this problem won’t repeat itself. So you’ll need to change how you’re managing your IT completely.
- Back. Everything. Up. Not just files and folders but make full image backups of Servers and Workstations. Even better, talk to a professional about a Unified Backup solution that has minimal RPO and RTO objectives.
- Change every single password, update and patch every server, workstation, laptop (not just Microsoft updates, but EVERY software and hardware too!!). I’m talking windows, adobe, apple, firewall, modem, router, access points. Don’t forget the firmware too!
- Security should be reevaluated. Do you have a hardware firewall? Is it properly configured? Do you have a reputable anti-virus and anti-malware program? Does it work proactively and scan and remove automatically on a schedule?
- Remove any browser helper objects that open doors past your gatekeeping software.
- Check all DNS records including DKIM, SPF, TXT and MX records for your mail server.
- In extreme cases, you may need to change ISPs in order to be reassigned a new IP address! This is a challenging, but effective solution for a business.
- Last but not least, if any portion of this doesn’t make sense to you, refer to step 1!
All of these steps are not just prudent, but absolutely mandatory. Because if your domain or IP get removed- then added back to a blacklist- the minimum wait time increases exponentially!
There is typically a grim realization after an attack that, despite caring deeply about your technology wellbeing, your office simply doesn’t have to expertise or resources to properly secure your business from malicious attacks. In a world where DENTIST OFFICES are hiring CIOs, should we really expect our office administrators to completely secure our digital world?
Now, it’s not our advice for every small business to solicit a job opening for a CIO or even an IT tech or engineer. But it IS our advice to consider the benefits of a Managed Services Provider (MSP) and how their robust teams can secure your IT space from the bad guys of the world.
The bottom line? You should be focusing on making money for your business, not fixing IT issues. Click here to let us know how we can help.