The very first thing he MUST do is get in and change the password to his email account. If the attacker has already taken over entirely, that may require working with Comcast support.
The next thing to do is to change the password for any accounts that share the same password. If it was used in one place, it could be used in others.
In general, the two things you can do to prevent this sort of thing from happening to you are:
Make sure your email account has a strong, unique password associated with it.
Set up two-factor authentication for your email account.
This exact thing happened to my uncle (he clicked on a link in an email he thought was from AT&T and entered his password on the resulting screen) and the hacker took over his email and locked him out and started asking everyone in his contacts for gift cards…
(I didn’t fall for it as the email was full of grammatical errors and didn’t sound like my relatives. I contacted him and he figured out he’d been hacked.)
The real problem was AT&T (his email provider) would not reset the account for him. I never found out the details, but I guess they couldn’t believe it was him. He ended up having to get a new email address after having the old one for almost 20 years, which was a real pain as naturally, all his other accounts were tied to that email. (Fortunately, he’s not a power user and didn’t have that many logins.)
Gmail’s 2FA works through the Gmail app on an iOS device (primarily? only? not sure) and it works fine with Mailplane, since it’s basically just a browser.
In essence, the first time you log into Gmail on a new device, you provide your username and password and then you go over to the Gmail app on an iOS device where you’re already logged in and respond affirmatively to a prompt that appears. In my experience, it works well.
A password manager does more than just remember your passwords. 1Password lets me know if I have duplicate passwords, weak passwords, and even accounts in systems that have been breached, and I should change my password.
However, one of the strongest reasons to use a password manager: It defends you against phishing attacks.
I heavily use 1Password and know I can fill in any password by pressing the ⌘-\. I do this even for passwords I might fill in a dozen times per day.
I got an email from a colleague (or so I thought), asking me to look at a particular document stored in Sharepoint. I clicked on the link in the email, got the login screen, then pressed ⌘-\ and nothing. I tried it a few more times, and checked to make sure 1Password was working.
I was about to login manually when I took a closer look at the URL. In place of the letter m in our company’s name was an r followed by n. rn: It looked like an m, but wasn’t. The email was a phishing email. The landing webpage looked like our corporate login webpage, but wasn’t. The hacker even had a security certificate for this fake webpage. I was fooled, but not 1Password.
You cannot survive in this age without a good strong password manager. You need hundreds of different passwords. You need to be alerted when one is breached, and you need to use it exclusively to prevent phishing attacks.
These homoglyphs can also be created with Unicode characters allowing phishers to create domain names that are visually indistinguishable from the real thing. I heartily endorse the advice to use a password manager.
I used the built-in password manager in Firefox, which would have offered the protection against entering a password in a look-alike web site, as you described. As far as I know, it does not offer alerts when a site is breached. If anyone knows that it can, please post.
How does 1Password monitor for breaches? One possibility is that it compares the sites that the user has saved to some database of breaches when the user visits a site, either waiting for the user to enter credentials or not. Another is that it compares the sites that the user has saved to some database of breaches every hour (or minute, or day). A third possibility is that it does some combination. Of course, there could be other scenarios. What does 1Password do?
And is 1Password still available for one-time purchase (not subscription)?
Best part is you don’t even need to pay for basic functionality. iOS 14 and macOS when used with iCloud Keychain will save your passwords, alert you to duplicates, suggest better new passwords, and let you know when you’re trying to enter the password at a spoofed site.
Nothing against 1Password or LastPass etc. They no doubt offer added value. But nobody should be mistaken about needing to spend extra money to stay safe.
Since Firefox switched password management to their “Lockwise” software, it alerts you if a password you’ve used may have been stolen in a data breach. It can also check if you’re using a breached password on any other sites.
It’s great advice to avoid reusing a password. But bear in mind that your email address is pretty damned public info, and often constitutes 50% of your login credentials. That’s why I use Abine’s Blur, which allows me to create a different masked email address for every single account. It also offers a password manager which shares between iOS and Mac (don’t know about Windows or Android), a tracker-blocker, masked phone numbers, and one-time-use debit cards.
If a website begins to spam your email or phone number, or sells your email address or phone number, you’ll know who did it, and you can quickly turn off the offending source. I haven’t had to do that lately with masked emails, but it’s nice to know that I can if the need arises.
I have used 1 Password for years and have never had a failure of any sort with them. It is amazing given the number of government hacks but they seem to stay safe (the sound you hear is me knocking on wood - or was that an Apple keyboard?).
My email appears on my credit watch resource but there is no indication they have anything. I change passwords religiously (pun intended given my profession ;-o) That is so important !
Have you communicated with your friend via some other means (phone, text, etc.) to confirm that his account has been hacked? It’s possible that it was spoofed, instead. It’s easy to fake the “From” header in an email, and to use a “Reply-To” header to ensure that a response goes to someone else - or even to use a “From” address of the format: “friend@comcast.com” friend@yahoo.com, which many email programs would show in a “user-friendly” fashion as “friend@comcast.com.”
The first thing I do if I get a suspicious email like that is to look at the complete headers, to see whether there is funny business going on.
(Sorry for the late reply; I just saw this in the weekly summary.)
Gmail’s 2FA works through the Gmail app on an iOS device (primarily? only? not sure)
I continue to use 1Passwords TOTP generator with Google accounts just fine, although recently they have started making me click around the option of using a signed-in google app as no-code authenticator first when I log in so they must strongly want people to switch to that.
I use Fastmail which allows me to use plus addressing. I can simply append a ”+” to my email, and then anything after it.
For example, my email address is david@weintraub.name. However, when I sign up for a service, I’ll append a plus sign and some other random information like david+Sjdh@weintraub.name.This allows me to give each account an unique email address. It also allows me to see if I get an email, where they got the email address from. If you use gmail, you can add periods wherever you want in an email address. For example: da.vid.weint.raub@gmail.com and david.weint.raub@gmail.com are the same email address.
David Weintraub wrote: “I use Fastmail which allows me to use plus addressing. I can simply
append a ”+” to my email, and then anything after it.”
Fastmail lets you use real alases (up to 600 of them per account), so you can avoid the plus-addressing kluge. Spammers and others know how plus addresses work, and they can easily delete the plus and anything following to know your real account. Proper aliases are not detectable as being tied to your main account. (Though you need to keep an eye on the signatures if you want to send from the alias–fastmail uses your default mail account signature as the default alias signatures, which is a pita.)
If you have fastmail host your own domain, there’s no limit to the number of aliases you can have, though there’s some chance that someone could trace you via the domain registrar. I use a mix of both - my own domain aliases for places that know who I am anyway, and fastmail aliases for most others. Plus my own domain aliases will stick with me if for some reason I need to change mail vendors.
mailinator.com is very useful resource for a throw away address. They accept mail for every possible address, so you don’t have to set up anything in advance. You can’t send mail, only receive, and depending on demand the mail likely won’t stick around for more than an hour or so. But for signing up for a web forum, or downloading software demos that want to harvest your address, it’s great. Anyone can read the mail for any account, so don’t use it for anything at all sensitive.