Friday, December 17, 2010

Let's be careful out there

Updated. Yesterday, someone hijacked my e-mail account and then notified the entire universe that I was stranded in London without credit cards or passport and asking people to wire money to get me home.

Of course, it was a scam. Judging from the number of times I have received identical e-mails "from" other people over the past year or so (especially in the past few weeks) it is a pretty common one. As I said to another victim of this very same note, I should hope that if we were in London, we'd know how to hang on to our passports and do something more fun than slumming in internet cafes. If all the Episcopal clergy and lay people I know who've been hit with this were actually in London, it would have been quite a party!

Phishing scams are quite profitable. High-jacking of e-mail accounts costs very little and, assuming that among the dozens of e-mails sent to addresses stolen from just my address book and old-emails, and assuming that this scam is repeated over and over again every day, the crooks only need a handful of people to respond to make this crime pay. The return on investment must be astronomical.

One thing about this incident bears remembering: it was a sophisticated attack but it was not super-science. I am pretty sure I left the key under the mat. I am very careful about internet security and consider myself pretty savvy about security. I get these kind of phishing e-mails that get past my spam filter every day, and I block and delete every one. I am more than a little embarrassed by having this happen to me, and about the inconvenience it caused all those around me (even if they are across the country or around the world). So what happened?

Well, about a week ago, I got an e-mail that was clearly a phishing scheme from a "ymail" address. I read on my smart phone and ignored it. Actually, I thought I deleted it but I found it on my phone yesterday morning which tells me that I didn't. This makes me think that I either indicated that the e-mail was "read", or somehow executed the link embedded in the note. It was probably only a split of a split second of carelessness. I had other things on my mind. But it was all the crook needed to invade my personal e-mail account. Stupid, but true.

So this wasn't someone in a dark, underground lair slaving in front of a screen sucking down caffeine and twinkies figuring out how to break into my laptop. No, this was actually more sophisticated than that: they sent out a blanket note to lots of people hoping someone will execute their program which would allow them access to both my e-mail and the all important password.

Having access to my data, the crook waited a few days, probably testing to see if I would have noticed any subtle changes they made, and then when all was ready, he struck at about 6 am my time. I got a text right away from a friend in the mountain west who should have been asleep. And then I found I could not get into my g-mail account.

After the initial shock, and the empty sense of "Oh...crap!" I am happy to say that I did not panic. I knew my day was shot, but I went to work. Using my phone and another address, I made a new password and got in.

I have to say I got some great help from Dean Nick Knisely at Trinity Cathedral in Phoenix...the one who texted me instead of sleeping...and I also remembered some basic lessons that I learned from my son. The take away here is don't panic, there is help out there.

First thing I saw was that they had set it so that any password changes I made they would be notified of. So when I made my weekly change in password, I gave it to them. And I gave them my new password. So I cut off that access.

Second thing they did was first mirror all emails to and from the account to their fake account, then eventually redirecting any e-mails directly to the fake account and then, third, deleting any e-mails sent to my normal address. This meant that I would be ignorant of any responses from concerned persons.

The third thing they did was wipe out my entire e-mail history and address book. Too bad for them, this did not apply to my phone which has three-days worth of e-mails in its own memory. I not only found the original phishing note that I probably fell for or triggered, but was able to watch the activity leading up to the attack. They definitely tested the ice to see if it would hold weight before they moved in.

I killed any remote use of my account, changed the password again and then again. Also updated all identifiers that allow the hacker to re-obtain my password. I have changed all known passwords and identifying data on all related on-line accounts. At the end of the day, I did a thorough scrub of my laptop to be sure the perps did not leave behind any spyware, malware, or other unhealthy things.

One of the ways I attempted to let people know that I had been high-jacked and to ignore the message was by way of Facebook. Later in the day, I wrote
"If there is an upside to having your e-mail account hacked, it is that you suddenly hear from all kinds of people who are concerned about you. They fall into two categories: the ones who never saw this scam before (pray none of them sent actual money!) and those who know exactly what this scam is and send condolences. In both cases, the genuine care is a heart-warming silver lining to this digital cloud."
Besides all the technological and security issues, this attack had another effect. It ate up most of my day straightening this out, and (perhaps more important) it ate up the day of my parish's secretary because people called, e-mailed, texted me or the church to let us know it happened. A good deal of good natured ribbing came my way about my trip to London or my superior diplomatic skills in being able to travel internationally without a passport. Everyone who called or e-mailed had advice, admonition or needed to tell their story. (Just as I need to tell my story, eh?)

But it caught up other people in other ways.

We know we intercepted one person who actually walked into a Western Union to send me money. (She got her money back, thank God!) Others were quite ready to sent me an emergency loan, but called first. A phishing scam exploits the good-will and compassion of good people. This is why I hope and pray that there is a special ring of hell set aside for these heartless creeps.

One mom in my parish sent a note to the hacker lecturing him on his bad behavior and telling him he hopes he never gets any money from anything ever. You gotta love it. She would have sent him to his room without supper if she had the power.

Last night, I went to a Christmas party and listened to a fellow describe a movie where two con men cheat people out of a little money here and there. Some of the folks found this kind of low-level larceny humorous, at least on film. This event reminds me that these attacks are a violation, as much as a physical break-in to my house would feel.

Certainly, as a cleric, I have run across more than my fair share of people trying to sweet-talk me out of my parish's money or people who have broken into church offices, sacristies and jimmied open poor boxes for a few bucks. The biggest victim of this kind of thing is trust. To exploit another person's trust for personal gain is certainly as big a crime as the money itself.

It is a mark of life in the 21st century. Sooner or later you're gonna get hacked. Sooner or later, someone will try to exploit your trust to make a fast buck. The solution is not to stop trusting. The solution is to be aware of the world around us, be knowledgeable about how the technology we depend on works, and be realistic. Trust is still possible, as the caring responses of so many on my behalf showed. At the same time, as Sergeant Esterhaus used to say on Hill Street Blues, let's be careful out there.

Update: I just learned of the following.

There's a new service from Google (which is slowly being rolled out to gmail users but is already deployed to Google Apps users) called 2-step verification. Basically it makes it impossible for someone to log into your google account if they don't have your cell phone with them. This means that even if you do get phished, the attackers can't do anything with your password.

No comments: