Mice as Malware

“Oh, no.”

What can you do when you first become aware of fraud or that your identity has been stolen?

Start with the steps below. If getting started by yourself is difficult, that’s okay. Going through this is hard.

Ask someone you trust to help you. Ask them to bring some snacks, too. This is going to take some time and it’s a good idea to settle in, get comfortable, and do it together in as chill a way as you can.

When you’re ready:

  1. First, notify your mobile carrier and let them know what’s happened. Verify with them that you have a security PIN on your account to help minimize any unauthorized changes.
  2. Second, start with your primary email account(s) and go change all your passwords to long, unique passphrases. It’s okay to write down complete info about each account as you go, including the link (URL) and login (username and new passphrase) as you go.
    1. It’s not okay to re-use the same passphrase. It’s important that each account uses a single, unique passphrase. Unless, you want to have to do all of these steps all over again real soon.
    2. Need help generating good passphrases? Use this handy tool –> https://www.useapassphrase.com/
    3. You can also use a password manager if you have one to generate your new, long passphrases and create a secured inventory of accounts as you go (but writing them down is fine if you don’t have one).
  3. SPECIAL NOTE ABOUT EMAIL ACCOUNTS: After you change the password on each email account, take a peek in the settings for any rules that may have been set up to filter or forward email. If anything looks suspicious remove it and don’t worry – you can’t break email by deleting inbox rules. Made it this far? You’re making good progress – keep going!
  4. BEFORE YOU LOG OUT OF EACH ACCOUNT: after changing an old password to a new passphrase on an account, be sure to enable and set-up 2-Factor Authentication (or 2FA or MFA) to make it harder for criminals to take control of your accounts easily again. Here are the steps for enabling it in Gmail, for example.
  5. Next, notify your heath, automotive, homeowners, any kind of major insurance provider(s), credit card companies, banks, and any other critical services you rely on so everyone is riding the same wave about what’s happened to you and can help mitigate and reduce the overall damage criminals can do.
  6. Last, but not least, notify anyone potentially affected by the incident (personal and professional contacts) and explain what happened.
    1. Your transparency, even if overblown, helps educate others, builds trust, and helps make your entire orbit of people more security aware and less likely to fall for similar tricks in the future.
    2. Who knows? By sharing your story you may help prevent someone from becoming the next victim. My team are all prolly tired of hearing me say it: we all share the same fate. Sharing really is caring.

[sigh] “I’m feeling better already.”

Let’s talk about the emotional impact of identity theft and fraud for just a moment. When modern day crime happens to us, and let’s face it cybercrime is just – crime and, like regular, old crime, it happens to almost everyone eventually. When identity theft happens it’s suddenly real, feels similar to a home break-in. ID theft, fraud, crime is a violation. It interrupts everything.

One of the biggest fall-outs from experiencing these is our confidence in ourselves. There’s a grieving process. We feel like we’ve let ourselves down and everyone around us when we fall for tricks, whether it’s phishing or social-engineering, and it takes some time to get past our feelings of incompetence.

Anything we can do to reclaim the sense of our best self (like following the steps above) is crucial after an incident that makes us feel bad. Leaving it unresolved leads to larger challenges so it’s important to follow-through on mitigation when this happens to us, but these are personal experiences and affect everyone in their own way.

If you fear your situation is more serious, I recommend a more serious set of protocols, such as completely wiping your devices, including mobile phones, laptops, and more. In some cases I have even recommended replacing the hardware altogether. Each is a case-by-case sort of thing. Have more concerns than that? Here’s more info and some language you’ll want to be familiar with if you ever need to ask for more help.

Mouse Problems as Incident Response (IR)

When an ID theft or fraud is bad, an Incident Response (IR) is necessary to assess and mitigate the damage quickly, prevent it from getting worse, and reduce the odds of it happening again easily. Incident Response (IR) is a formal information security discipline and service you can engage when an ID theft or other fraud/crime is serious enough to warrant it.

What is IR or Incident Response? It’s helpful to think of IR in terms of a “mouse problem” – as an analogy for criminals. Like criminals, mice get into places. Ocassionally it’s no big deal but often enough they cause damage. Hiring an IR team for guided recovery from ID theft/fraud is like hiring an exterminator to get rid of your mouse problem except, instead of mice, Incident Responders remove (cyber)criminals from your accounts and/or devices.

Call it a “Threat Hunt.” First, the exterminators want to figure out how the mice (threat) got into your oven, for example, remove them, and then figure out a way to prevent them from getting back into your oven so easily.

Keep in mind the exterminators are going to focus on the mice in your oven. They may or may not notice traces of other pests (signs of other threats) or discover something else nasty (malware, etc.) embedded somewhere (the carpenter ants in your attic or the mold in your basement walls).

Why? Why can’t an IR team just “find everything”? Because of time. IR discovery and mitigation services are paid for up-front for just a few hours at-a-time, otherwise such services wouldn’t be affordable. To make the most of your time and resources, IR teams focus on specific incidents and compromises, one-at-a-time. It takes time to deal with each type and that’s just not negotiable.

Hunts vs. Assessments

So far, we’ve talked about how IR is a targeted Threat Hunt, seeking a particular type of problem, like mice in the oven. A Threat Hunt can take a few hours, to days or longer, depending on what’s involved.

The other type of discipline/service that’s important to know about is called a Threat Assessment, which goes deeper, seeking mold, mice, ants, wasps, and/or other critters (so-to-speak) and potential threats everywhere, across your accounts and technology (your whole house vs. just the oven) means a Threat Assessment requires more time, more resources, and more expertise than a Threat Hunt. Assessments offer something precious, though: greater peace-of-mind, especially when done pro-actively, before an ID theft or fraud occurs.

Threat Assessments are designed to help you raise the cost for criminals, which encourages them to find easier targets, lowering your odds of having to deal with ID theft and fraud in the first place.

Hope this is helpful to someone when they need it. Have questions? Here to help so get in touch!