This same thing happened to me on New Years Eve this year.
1. Hacker obtained access to my email password, and I did not have MFA on my email because it had been annoying me
2. Hacker setup an Outlook Email Alias to the hackers account, which subsequently copied down the servers full contents of my email history
3. Hacker setup blacklist items for all the popular sites like Facebook, Instagram etc so that if I were to receive a "password reset link" from the hacker it would immediately confuse me as it lands in my deleted, spam or blacklisted folders.
4. Hacker initiated some sort of spamming algorithm to my email where I got welcome letters after being spam signed up for 10,000s of online accounts from across the globe, all different countries.
5. The day came I began receiving spam calls from 000 numbers, or unknown numbers that proceeded for about 3 hours straight.
6. Password reset links began coming in to reset all my fun and valuable accounts.
7. Hacker accessed my credit union online portal (its a common portal used across many us banks but re branded for my bank), and transferred money ($425) or so from my personal checking, to my business checking where I had the BillPay feature enabled. The hacker then cut a check to an accomplices address in Chicago.
I've worked in IT and IT security my whole life. Let my guard down 3 times.
1. I was getting annoyed having to MFA to my core email account, so I disabled it for some time. CORE MISTAKE. All of this would have been avoided had I not done this. I also removed it for Facebook, and had never had it setup for my bank.
2. I had been re-using an old common and known compromised password for many logins that are valuable. BIG mistake. BUT its one of those things, the path of least resistence is the least secure aha!
3. I just generally should have known better to not make mistake 1 and 2 above. Complacency that was unwarranted and honestly dumb. I put my email address into my media center PC that hadn't been upgraded in years... that story below!!
The clock struck midnight, I had just finished installing the new Windows 12 OS on my Media Center PC because I was having audio issues with my home theater's atmos sound. I play all media via the Win 12 OS on a media server, so I decided to upgrade.
Windows 12 kept barking at me to put in a Microsoft email address to install the OS. I was super annoyed and it was about 10pm and I was getting tired. Instead of being smart, and googling around for a solution...I knew I could bypass this the last time, it seemed obvious but not this time!
Well, its not obvious how to bypass the email requirement You need to disable your internet, and run some special command when installing the OS to get around it. I found this out after the fact.
I think this was how my email address hit the "wire". Either that or it was when I logged into my outlook account on my media server. I never do that, never had done that, but for some reason that night, I did.
I went to bed, and sadly still couldn't figure out why my Dolby Atmos speaker ceilings weren't producing audio beyond the receivers built in test sounds.
About 3am the madness begins. I leave my phone on full volume, but downstairs so its out of reach in case of emergency calls.
Ding.
Ding. Ding.
Ding. Ding .Ding. Ding. Ding. Ding .Ding Ding. Ding. For at least 3 minutes. I wake up its like 3:03 am. I'm getting spam email sign up welcome letters from across the globe. I wipe my eyes, and enter battle mode.
The whole fam was woke up by the incessant dinging.
I start looking through email logs on my phone, and realize, mobile isn't gonna cut it. I lock into the home office by 3:05am. I'm on my Outlook desktop app on my biz PC. Fully, locked and loaded. All security up. I unplug the network, take down the router...disconnect the Coax. We are dark. I shut down my Media Center PC, and I unplug the 2 external drives that store my movie collection of over 12,000... I had heard the HDD's churning and that was odd, they idle ONLY if I am accessing the server with it on in front of me...there will be NO other HDD sounds unless I am physically there using it...something is accessing this thing... so I shut it down.
I start cleaning up emails and find the time the damage started. In the midst of the 1000s of emails I see some Password reset emails coming in for my bank, UPS, USPS, FedEx, Roblox, PayPal, Ebay, Steam, Epic Games and.... MICROSOFT. I've found the crumb, I've found the needle in the haystack.
I see a second subsequent email from Microsoft that says my email alias had been updated, and because it had been updated immediately after a password change they flagged it as suspicious and sent out the email telling me I should double check all security.
So, I use the password reset link (its special, its outside the regular reset links on the apps) its the one that came in through my alias being changed,
and this is key. HAD I not realized that my alias had been changed on the Outlook web app, and subsequently went in and wiped out the email that the hacker had put into that field...they would have continually been copied on all of my SUBSEQUENT attempts to reset my own passwords, and intercepting those attempts.
SO I clear out the alias, and now I take a breathe. I can do further assessment and damage control. I know that the hacker no longer has access to my email, MFA is in place with a new non-comprimised password, CHECK, and CHECK!
But facebook, oh boy. So they get into that account, reset the password, and update the recovery phone number from my number to theirs. They then update the email on file for the account to the hacker email. That account is gone forever. Connected to my Arborists business page, un recoverable. FB support is horrendous.
The problem is, I had a linked Instagram account. They were able to compromise the instagram account and since the two companies are all mighty powerful Meta, and naturally like a dysfunctional family, getting one to resolve the other's hacked account problem is a lost cause. I created a new account with a new email address.
The hacker took control of my instagram, spam posted all my connections... then violated instagram rules, which disabled my instagram, and subsequent facebook, and subsequent facebook business page. I wrote a letter to the California Attorney General and they said their was nothing they could do to help me recover a Meta account. Again, that account is lost. Don't ever expect the BIG companies to help.
It's New years day PM now, and I'm on the phone with my bank's cyber security and fraud department explaining the whole cut check deal out of my business account. I tell them, never in the history of kgtest's banking has he evet transferred money from his PERSONAL over to BUSINESS.. I says, the money flows the other way, obviously. The business cashes the checks and ALL that money flows back into my personal account, AMERICAN DREAM BABY! They get it. The account was locked down, but now the payment is put to a stop after me explaining it all. Otherwise, the hacker would have been able to cash that check. I tried to USPS track the packages final destination address in the Chicago area, but I would need to know the exact zip code for UPS to reveal the address on the online tool and I didn't feel like cycling through every possible Chicago zip to discover where the check was headed. What was I gonna do, give the guy a knuckle sandwhich after snagging bus ticket to Chicago?? Cyber Security said 100% the address this check is going to, and the person responsible for attempting to cash it, IS ALSO a victim of a crime and being extorted.
At one point the Credit Union was demanding I have a trained tech scan and assess my computer hard drive before they would allow me back into my online account. That stance didn't last long. I literally DISKPART clean the server's HDD, scanned all the external drives and found no virus.
So where was the actual point of infliction
And why did it happen at the exact moment it happened? Those questions bother me today. It's my belief that when I signed into the Windows 12 OS on New Years eve with my Outlook account, that triggered an algo that the virus kicked off notifying someone that my account was vulnerable. Then it was accessed and the "farm" took over.
There are literal encampments of enslaved workers spamming people everyday. There are 3 that are known but more keep popping up, and they move from third world country to third world country. Fascinating circumstance really. Dig into it a little. It's us vs them, folks.
If anyone is still following me, the damages were not too extreme. Cost me quite a bit of time recovering passwords. It happened right before a 12 day trip to Maui, so I had to deal with a little fall out while enjoying island time, meh.
I had a few declined transactions as bank accounts were getting re-issued. That cost me some fees. Most of those I was diligent to get removed, but I know I missed a couple (we run a 300k plus annual HH budget plus biz txn so there are a lot of moving parts, I believe have over 28 accounts but I am not certain(.
It cost me less than $100 but a lot of time. DW got upset with me in front of the neighbors which is out of character for us, over the whole ordeal...but I get it. She doesn't want our trust and position in life compromised and this was a little ding to the armor. None of her accounts were impacted...only things with my email address associated.
For anyone who read this far, make your passwords way more secure than you think they are today and use MFA where you need to use your phone to login. And NEVER lose your phone.
One other tip, had I not had the Outlook app on my PC, and the web version or my mobile version...it would have been impossible to recover and cleanup all the damage from the spam that came through.
All is well now! Still a millionaire