Friday, July 10, 2020

The Great Toilet Paper Cyber Hack of 2020: Part 1

A friend of mine told me this story about how his computer was hacked in his search for toilet paper. This occurred in late March 2020 - when toilet paper was non-existent in stores across the nation. My friend “Hal” (not his real name) told me that he found some Charmin Ultra Soft toilet paper available for purchase online. He did some price comparison and found it to be a fair price - not gouging and not cheap, but reasonably priced. There was nothing unusual to indicate that it might not be authentic, so he ordered it. He was expecting a package of 60 Mega rolls, which should last a while.

Within a day his credit card company informed him that he had attempted to make a purchase from a company in China - it was the toilet paper purchase! Hal authorized it, figuring that is probably where Charmin is made or that it might simply be the only company or warehouse where Charmin was still in existence. And realizing at that point, that the Charmin was coming from China, Hal prepared to wait for his toilet paper. Note: Being the good friend that I was, at this point, I brought him a package of toilet paper!

A couple of weeks later, Hal was out shopping - probably for toilet paper - and kept receiving unrequested second-factor access codes from his bank and retirement account providers. That was a clear tip-off that someone was attempting to access those accounts. He came home to discover some very unusual activity had occurred on his computer while he was out. He noticed that several browser sessions were open using a browser that he didn’t typically use, and that these browser windows were logged into a few of his accounts! He immediately took the computer to his local computer center to have it reloaded; they confirmed that malware was present on the system.

Over the next several weeks, Hal worked with his credit card company, Amazon, and PayPal to have fraudulent charges reversed, and with his bank and retirement account providers to change account information and reset credentials. Additionally, he changed all the passwords saved in his browser and implemented two-factor authentication on all of his accounts. The total charges to be reversed were in excess of $1,000 and this consumed almost two full weeks of Hal’s time! Fortunately, the world had recently gone into quarantine-lockdown, so Hal didn’t have a lot of other things to do.

Adding to the time, delay, and frustration was the fact that most merchant and bank employees had become remote and were not immediately reachable by phone. Almost all of these inquiries and transactions had to be done by email, with return calls by phone, adding hours and days of delay.

Sometime during account cleanup, the long-awaited toilet paper arrived! It came in a box about the size of a shoebox. 60 Mega rolls of toilet paper fit in a box the size of a shoebox!!! So much for lasting a while! So Hal taped the package back together and sent it back to whence it came!

Hal realized that his computer hack and the fraudulent “Charmin” toilet paper from China were related, and he’s confident that when he visited the site to order the toilet paper - or when he returned to check the status of his order - he also received malware. What is interesting is that a few weeks had elapsed from when Hal ordered the toilet paper and when the attacker became noticeably active on Hal’s computer.

Digging A Bit Deeper

When I asked Hal how he came upon this site from which he ordered the toilet paper he said that he saw an advertisement on social media. Ah-ha! One lesson learned: never click on advertisements you see on social media sites. Always shop from known and reputable sources. A typical indicator of fraud is that the item is priced significantly lower than its alternatives. In other words, if the price seems too good to be true, be wary. In this case, 
that particular warning flag was not present.

But this issue nagged at me for several weeks as I thought about how the attacker used a completely separate browser on Hal’s computer, a browser that Hal does not use, to access Hal’s accounts. So I reached back out to Hal and asked a few more questions…

Of course, all my questions would have been easily answered if we could have obtained a forensic examination of Hal’s computer. But Hal had already dropped it off at the computer center and his computer had been reloaded before he told me about the issue.

I determined two potential scenarios in which access to Hal’s accounts may have occurred... 

Scenario #1: Keylogger

The attacker may have installed keylogger software on Hal’s computer and simply captured passwords when he logged in to his accounts. This could certainly explain why there were a few weeks of dormancy before the attacker became active - he had to wait for Hal to log in to collect account credentials.

But Hal told me that he typically saves his password in his browser, and uses those saved credentials when accessing his accounts so he doesn’t have to remember the password. So while a keylogger may have been installed, it wasn’t likely the source of the password collection.

Scenario #2: Browser Password Extraction

A scenario started to form in my mind that somehow Hal’s passwords were extracted from the browser he typically uses. I could see this in a physical scenario in which I might be logged in to my computer with my preferred browser open, and then walk away without locking my computer. Someone (officemate or housemate) could potentially get on my machine, navigate to Amazon, and log in as me since the credentials would be automatically populated by my browser (assuming I had them saved). However, they would have to use the browser that I typically use. This scenario would not work if they attempted to access Amazon using a completely different browser. Was the attacker just showing off?

Another thought. If my officemate or housemate wanted to know what my Amazon account password was, they could access the security setting on my browser and “see” my password! But as I chatted with Hal about this, he reminded me that the attacker would have to know my master password in order to see the passwords saved for each account.

All of the components of the scenario I described above are related to a person attempting to access the computer physically, in person. Similarly, in the virtual world, the attacker would have to remotely access the system, pose as Hal, and either use the currently running browser or launch a new instance of Hal’s favorite browser. This would have likely worked with the remote access the attacker had, but Hal saw no evidence of the attacker having used the browser he left open. And if the attacker did take over the running browser, why would he go to the trouble of using a completely separate browser to log in to Hal’s accounts? It would be a silly and unnecessary step!

It occurred to me that this attacker was a one-trick pony. He had a tool that he liked to use to extract the passwords out of the most common types of browsers, including the one that Hal typically uses. And like Hal, this attacker had a preferred browser too, and it was a browser that Hal doesn’t use. In fact, that browser application didn’t even exist on Hal’s computer before the attack, so the attacker actually installed it!

When Hal visited the toilet paper advertising site, unbeknownst to him, he downloaded malware, which was executed using Hal’s privileges. This malware was likely a remote access program, and since it was running with Hal’s permissions, it looked to the system as if it was Hal. This attacker then loaded his own toolkit onto Hal’s computer. The toolkit consisted of a piece of software designed to retrieve and decrypt passwords from specific types of browsers, and it also included the browser application that the attacker likes to use.

The attacker’s software allowed him to issue a command, posing as Hal, to run a process extracting all the valuable information out of Hal’s browser, including his browsing history, bookmarks, and web browsing cookies. Most damaging, this software also retrieved all of the encrypted account data out of the browser, and decrypted it into a plaintext file. This file, now accessible to the attacker, contained a list of all of the sites (URLs) for which Hal had stored access credentials in his browser, including his username and password for each!

A Rookie!

I’m convinced that this attacker was a rookie, not a professional hacker. Here are a couple of reasons why...

Obvious Actions

The attacker used the browser he loaded on Hal’s system to attempt to get into Hal’s accounts. This activity could have been observed at any time, by Hal! A professional hacker would have retrieved the file containing the decrypted account credentials and moved it to another system. Professional hackers often automate many of these actions so they can retrieve as many account credentials from as many people as possible, in the shortest time duration. And whether or not they use the data themselves, it often ends up for sale on illegal sites. 

Didn’t Hide His Tracks

Most likely Hal caught the attack in action, which is why he saw the browser, and why the malware was observed by the computer center. A professional attacker typically erases all tracks of his existence to lessen the risk of detection and give him more time to make money or purchases using the stolen data.

Daytime Activity

Had the attacker waited until typical North American “sleeping” hours, Hal might not have caught the activity for a while and the attacker would have had more time to access more accounts. 

Triggering Fraud Detection Systems

The attacker kept attempting to get into Hal’s bank and retirement accounts, even though the authentication process kept prompting for the two-factor authentication code. This alerted the account providers that the accounts were being attacked, and they took immediate action to safeguard the account. This also tipped off Hal that someone was attempting to access his accounts.

Stay tuned for "Lessons Learned" in Part 2, coming next week.....

Today's blog comes from State of Colorado Chief Information Security Officer Debbi Blyth.

No comments:

Post a Comment

OIT encourages open discussion, and we invite you to share your opinion on our issues. By commenting on this blog, you are agreeing to our commenting policy, outlined below.

We reserve the right not to publish comments on our blog containing any of the following elements: profanity, misinformation, spam, off-topic/irrelevant (including self promotional posts not having to do with IT or the organization), personal attacks, promotion of violence, or the promotion illegal or questionable activities.

If you repeatedly violate this policy, you will be blocked from commenting.

If you have a question regarding this blog or anything on it, please email us at

We appreciate your cooperation and support, and look forward to connecting with you!