Sun, Mar 29th, 3:40 p.m.
It is again safe to send donations to etransfer@amberleachurch.ca. But here's the kicker: This was no ordinary email hack, this was a "Domain-Level Hijack". Why such a sophisticated hack on small unsophisticated us? Gemini says the hackers were practising.
What Happened?
On Monday, March 30th, a Broadway Kids parent called Nancy Varga saying she had e-Transferred spring fees to Amberlea. There was no TD-Interac notification .
Nancy called our Treasurer Laura Newman. Laura checked our TD bank account and found that we had received no e-Transfers at all after 3:40 p.m. March 29th.
Laura called Greg Watson the volunteer who cares for Amberlea's tech. Greg googled "interac hacks" and found the CTV News story from March 24th linked below. Now we knew it was a hack to look beyond the advice from our bank.
Greg invoked Gemini.Google.com to find the source. It is important to note that:
- This was not a simple password theft.
- Multi-Factor Authentication (MFA) was active on our email (required by Google Workspace), and Hover.com (Domain registration).
- The hackers exploited a broken link, "thisweek.amberleachurch.ca" managed by CloudFlare, to access the Hover domain registry and add records to our DNS (screenshot below) - bypassing passwords and two factor authentication
- The records the hackers inserted into our DNS, redirected email between @amberleachurch.ca and @interac.ca to their email server in the Amazon cloud.
- This allowed them to change the bank account where eTransfer@amberleachurch.ca auto-deposits
- The hackers did not need to log into our individual mailboxes to redirect the Interac notifications... but change our email passwords is the action TD told us to take.
- Here's the "gotcha again":
The hackers closed their bank account and stopped redirecting Interac notifications on March 31st. - This would have made TD's advice to change email passwords appear to work.
- But the DNS records were still in place. So they could have come back... even if we had had created a completely new email address for our e-Transfers.
Why is it Safe Now?
On the advice of Gemini (rather than TD), we have taken immediate and comprehensive action to lock down our digital perimeter and ensure this cannot recur. Our remediation steps included:
- Registry Cleanup: We have removed all unauthorized records and "wildcard" security gaps that hackers used as entry points.
- Enforcing DMARC: We implemented a strict "Reject" policy that acts as a digital bouncer, automatically destroying any unauthorized emails claiming to be from us.
- Global Session Reset: We forced a sign-out of all active accounts to terminate any potentially stolen sessions.
- Transferred Domain Registration from Hover.com to SquareSpace.com and cancelled Cloudflare.
We don't know exactly how hackers were able to leverage a broken link to add new records to our domain registration, just that the vulnerability was related to how Cloudflare and Hover manage the records that route internet traffic. - Password Updates: All relevant administrative passwords for our banking, domain, and web services have been changed.
Next Steps for You
If you sent an eTransfer between Sunday, March 29 (3:40 p.m.) and Thursday, April 2 (11:00 a.m.), please contact the church office at 905-839-1383 if you haven't already. We are currently working to resolve any missing funds from that specific window.
Thank you for your patience and continued support as we worked through this technical challenge.
More...
Below is the link to the CTV News story.
Here is the screen shot of our DNS register with the records the hacker inserted. This is the "smoking gun."