Urgent: 23rd April 2017 Security Notification from E2E Networks

Do NOT click

Image of the compromised email with in-secure link to help in recognition of the threat.

One of our salesperson’s Gmail App password was compromised and some of the email addresses in this addressbook could have potentially received a phishing email signed using e2enetworks.com DKIM keys. The email ID has since been recovered back. We apologize for the inconvenience faced if you received an email looking like the image in this post. If you clicked on this email and have provided your password at the phishing site we request you to change your email password immediately to protect against the misuse of your email account to send further DKIM signed emails which actually takes the recipient to a site which looks similar to Google Drive to download a shared file but requiring your Gmail password to access it.

How did this come about in the first place ?

Around at 1 AM 23rd April 2017, our salesperson received an email similar to the image from one of his prospects and he tried to download a file from an attack site which demanded his password and on the mobile browser he failed to check the authenticity of the URL from which he was downloading this file. Once the email ID was compromised it was immediately used to send similar emails to the salesperson’s addressbook contacts.

Actions so far by team at E2E Networks :-

As soon as we were notified by one of these contacts of having received an email from our domain we immediately notified everyone on our customer technical contacts and followed it up with an URGENT disclosure notification to all the email IDs in the addressbook of the sales person whose Google Apps password was compromised. We also made similar notifications via our official Twitter/Facebook pages.

All these notifications were complete by 2:30 AM 23rd April 2017.

What can you do protect against these type of attacks ?

Following course of actions should help anyone from protecting your email users against these type of attacks.

Encourage your email users to enable 2F authentication.

Educate your users about clicking suspicious links which supposedly ask you to re-authenticate by reentering your password.

Disable in-secure app access to G Apps accounts.

Setup periodic human monitoring for audit logs for your email accounts for any suspicious actions.

What else are we doing about it ?

Notifications to CERT-IN and IP range owners from where the attack originated after compromise of password.