Reflections, thoughts off-the-beaten-path and (in)digestion of current events by a hospital chaplain from Indiana (where we're called Hoosiers) who moved to Australia in June 2008. Taking faith seriously, trying to make a real difference in the lives of people, and seeking to maintain a "balanced" perspective by clowning around on a unicycle and twisting animal balloons as my alter ego: "Clair de L'uni" are some of my favourite ways to journey through life. Grandfatherhood is also exhilarating!
While through a combination of persistence and luck I was able to recover control of my Gmail account (though not my address book) and get a step ahead of that criminal element, there were some interesting and far-reaching emotional effects among my friends circling the globe - some of which continue: They are still periodically sending out evocative messages in batches from a fake email address which intentionally looks like mine! Thus far I have received well over a hundred concerned phone calls or emails from very worried friends all around the globe, and of course some emails that were initially sent to me I never saw!
Not because I took considerable time to research the subject and pull together some important knowledge - which I did - but mainly because what can be learned here might save the reader and perhaps some other friends lots of blood sweat and tears, I encourage you to "read more" after the jump below! (And if you think what I've pulled together may be of practical help to others, feel free to point them here.)
Question #1: Did you (Clair) have a virus or malware infesting your computer? (And could I get a virus or have my account affected by having opened that email?)
Question #2: How can cyber criminals do this devious thing and rip off passwords?
Question #3: How widespread is the problem and what can "they" (the authorities) do about it when the problem originates in other countries?
Question #4: To minimize my risk, what must I do to protect myself if I want to continue to use web-based email (like Gmail) or a social networking site (like Facebook) ?
Question #5: Why is the scam, using the email addresses they obtained, able to continue, since you were able to "recover" the account at your end? (Did they get in again?)
Question #6: What should people like me do when they get a message like that? It sure seemed "real!"
Summary (Why I feel so fortunate, in spite of all the hassle!)
Question #1: Did you (Clair) have a virus or malware infesting your computer? (And could I get a virus or have my account affected by having opened that email?)
No. It had nothing to do with a virus or anything malicious surreptitiously installed inside my own computer's software or hardware. It's actually more sinister and less easily detectable than that!I explained in that other blog column how quite a while before this incident I had installed VERY strong defenses. All of my anti-virus, anti-hacker and firewall software programs were working quite well and had their settings properly adjusted. I double-checked that after the fact with a tech from my security company - Comodo. I also use a proprietary wireless modem owned by Virgin Broadband here in Australia and it is also very secure, so I actually have double protection as far as the hardware is concerned. I discussed all this to my satisfaction with Virgin's tech support, as well.
Thus a scammer did NOT nor will ever be able to get inside my computer or attach anything to my software. How do I know for sure? I had absolutely NO viruses and NO malware showing up afterward upon testing - twice - utilizing reputable programs from different companies.
Apparently what that micreant did to hack into my Gmail account was to obtain my password - which, by the way, was a very "strong" one - while I was online. The worst thing is, this can happen to anybody anywhere anytime if you use web-based email. So I hope you'll take the time to read what follows and ascertain if you are sufficiently prepared!Scamming passwords happens randomly and will continue to happen from "now until kingdom come."
Question: How can cyber criminals do this devious thing and rip off passwords?
During my research this past week I began to realize the many options scammers have developed, typically deploying one or more strategies from a whole tool-box of them at their disposal:
1. Detectingcommon password usage, that is, using the same password for multiple accounts so if cyber criminals break into one - like the social networking site Facebook - they can get into others. (That was one of my problems. I was using the same password for my Gmail account that I had been using for FB.)
3. Utilizing a "key logger" - Here is one hacker's own description posted two years ago at "Hacker's Center" - their byline is "Security is our right. Hacking is our left" - detailing how he corrupts a Firefox browser add-on to actually accomplish this! (That was not my specific vulnerability since, though I have utilized Firefox I now primarily use Google's Chrome browser for internet surfing.)
4. Trojan Horse/Malicious code - installing them on a victim's computer. A user should investigate all computers commonly used as a cyber criminal might have access to everything typed at the computer keyboard. All users MUST have reputable anti-hacker software installed and firewall protection turned on, with settings properly adjusted and scheduled to regularly update in order to prevent such from happening. (I certainly did NOT have such a malicious thing going on, as I said above.)
5. Not logging out when finished using a public computer or a computer where others have access - like at work - will leave one vulnerable to hackers. (Not my situation.)
6. Browser "auto-fill" being enabled on a computer others might have access to - so they don't even need to know your password! (Not my situation.)
7. Network "packet capture" on a wireless or free hot-spot network. This is somewhat rare, but still possible for non-encrypted networks. (In my case, I haven't been using a wireless free "hotspot" but for those who do they need something like this to prevent it.)
8. Brute force - utilizing a "cracker" program to discover a password which doesn't have relevant strength. All users should make sure their password and secret question at Gmail are "strong" ones. In my case I already had a strong one.
Question: How widespread is the problem and what can "they" (the authorities) do about it when the problem originates in other countries?
Cyber crime is getting VERY sophisticated and it's getting more and more challenging for those organized to combat it to stay ahead of their game. For example, apparently certain Chinese hackers have been regularly deploying some of the strategies I listed above and giving Google huge "headaches" - something we are all hearing about in the news in recent times.
Cyber criminals mostly based in Nigeria have been using this particular scam they foisted on me for a number of months already. Whole gangs in Nigeria, Russia, China, and elsewhere are working on scamming world citizens 24/7 so there is not much we can do until their governments get serious about the problem - especially since the Internet does not "belong" to any one body, with no central authority to regulate this giant "cloud."
Two days after all this happened to me a Nigerian fellow quite knowledgeable about the details of how cyber scammers get started and freely operate there revealed in this very illuminating article how they do their thing! The level of official government complicity that he outlines is staggering, and the article concludes with: "Nigeria’s dreaded status in internet scam is in no way as a result of the skills of the scammers, but the inability of the Nigerian government to checkmate it, even when strong evidences could steer towards easy resolution. Our government is unserious; the regulating agency has no idea, the law enforcement agencies are compromised and the yahoo boys are having a field day until when someone who knows what to do comes on board. Till then, the message is simple; you’re on your own!"
I'll share a scary personal first-hand example to illustrate the problem: I did a search on where to report cybercrime in Nigeria and Google found a reputable site here with an entry half way down that page describing the official government agency as the Independent Corrupt Practices and Other Related Offences Commission.The annotation listed there said "The commission is at the hub of Nigeria's fight against corruption. The main duty of the commission is to receive complaints, investigate and prosecute offenders. Other duties include education and enlightenment of the public about and against bribery, corruption and related offences" and then it gave the link. [WARNING TO THE READER HERE: Do not try to recreate and clink on this next link unless you want to suffer the consequences like I did, even though it is/was a Nigerian govt website - I'm only spelling it out here now with "dot" inserted where there used to be periods in order to show how official-looking the link actually appeared at that point in time on that list: http://www "dot" icpcnigeria "dot" com ]
I innocently clicked on that link, but it only led to a generic sort of site advertising solicitors (attorneys) and other business where one then has to hire them to help report cybercrime in Nigeria. After about five seconds gazing at that, having expected to see a government website instead, my malware protector alarm came on saying someone was attempting to install a "bot" on my computer at that very moment! I then had to take extra time to run my malware scanners and so forth. This negative experience was a perfect example of strategy #7 (web phishing) in my list above, and I immediately reported it to the owner of that site, the Director of a Nigerian IT training school.
I then attempted to alert the Nigerian national police at their official site, but didn't have much better luck. When I did a search there using term "cyber crime" the only items that came up were three articles regarding recent training of police to deal with cyber crime. I selected one which had the start of an article about a recent session sponsored by the French authorities but the rest of the article was obviously completely corrupted by a hacker who put a whole layer of gibberish over it. So forget trying to report anything to the Nigerian police!
The representative of the IT school team, however, a Mr. Ayo Adediran, responded to my concern several hours with very nice letter in good English, the content of which served to restore my faith that someone in that country is listening and concerned. He promised to change their annotated list which included the link to the now-defunct Nigerian government site which he agreed no longer works because the government apparently let this domain registration expire. I of course couldn't know that when I clicked on the link based on the annotation - even though it still appears to be very official. He explained how apparently someone else has now "taken it over" for nefarious purposes.
Mr. Adediran also helpfully pointed me to a better site - the official Nigerian agency recently set up where one can NOW file a report regarding a proven incident involving Nigerian cyber scamming: the Economic Financial Crimes Commission (EFCC). I can now see that site listedhere as a result of my email exchange.
Question: To minimize my risk, what must I do to protect myself if I want to continue to use web-based email (like Gmail) or a social networking site (like Facebook) ?
* Basically there is not much that can be done to ultimately prevent advanced types of "hacking", but it is worth reading this summary by Google on the preventative steps that SHOULD definitely be taken: One's risks can be minimized, first of all, through heightened awareness! Taking the time to read this blog column and some of the articles I've selected (which are behind all these links in green) is part of just such a process.
* And it will certainly help to educating oneself at "see-a-scam" (an Australian site) or use the appropriate branches of that site to report a cyber scam if this happens to you while living in Australia.
* Be forewarned - for most of us it isn't a matter of if it's going to happen, but when cyber scamming is going to happen, if the choice to use web-based email like Hotmail or Gmail, or staying involved in social networkingcontinues.(But take heart, I am willing to continue taking that risk - given what I've learned to protect myself.)
* It is of vital importance to choose a back-up system for one's web-based "history" so that if and when they siphon off your email address book, a back-up stored in your software on the computer hard-drive can be used to restore it. I learned this the hard way and have now installed Thunderbird (open source) as my choice. (One can also use an e-mail client like Outlook or Pocomail to download the messages to the computer, or use this Gmail backup utility.)
Question: Why is the scam, using the email addresses they obtained, able to continue, since you were able to "recover" the account at your end? (Did they get in again?)
Some people are still responding to last Sunday's bogus Gmail message, even a week later, because they were traveling or aren't in the habit of reading or responding to their email very quickly. And if they do their message is coming straight back to me because I regained complete control of my own email account 20 hours after it happened. Thus I'm still getting personal calls and emails related to this (as are some of my extended family members back in Indiana who continue to receive such) wondering if I'm OK and back to Australia from London yet! (And you should see some of the "interesting" reply messages that I've seen, filled with very "colorful" language some scam-savy friends thought they were probably sending straight to those cyber criminals - and normally would be!)
I think my scammer divided up the total 1900+ email addresses which my Gmail account had automatically saved up over the last 7 years. Why did I have so many? Gmail automatically saves ALL the email addresses from other people's group lists that I happened to be on, so when people forward stuff with "reply all" - listing everyone in the "to" section instead of the "bcc" section - all those addresses come into my box, as well. Which makes for a treasure trove of addresses when scammers "harvest" it - and is the main reason why no one should be sending out group email that way!
My scammer sent out his false message in batches of up to 500 each day from a fake email address he's set up at Yahoo: Clair.Hochstetler@yahoo.com looks similar to my gmail address but obviously isn't. Sending out more than 500 automatically shuts down the bogus email account when the email service concludes someone is sending out "spam" so that's how the cyber scammer stays under the radar. I can't turn that Yahoo account off because I don't "own" it and thus don't have the password. (I just realized today I need to tell Yahoo to shut that sucker down!)
Question: What should people like me do when they get a message like that? It sure seemed "real!"
Either note it as a "phishing" attempt - or do nothing and move on. Too many people are inexperienced in discerning scam messages and considered what they received to be a real message from me. First of all, it was filled with typical West African ("engrish") grammatical errors and phrases. The whole thing is illogical because seasoned travelers (like us) usually have other ways of tapping help and financial resources right away if such a thing happened - e.g. I would have immediately contacted my credit card company and children or other relatives by phone - not friends! Also, I wouldn't (and I would hope that most educated victims of a real mugging would not) write a message like that, even under extreme duress, although several friends said they thought about how being mugged at gun point and perhaps forced to composing a hurried email SOS message on a smartphone might affect one's literary style! Thus the scam becomes emotionally "effective."
I could go on and on about why, from a logical standpoint, it should be obvious it is a scam, but since such a message creates an emotional charge the worst part from what I've read is that many people out there receiving something like that will act very irresponsibly and actually try to send money in response without independently verifying the situation with "the victim!" However, the biggest give-away on this one is that the initial message gave no information on where to send money!
So, that message was clearly designed for one thing only: to elicit a startled email response from my caring friends, which results in receiving a follow-up email, then to "engage" the potential victim in further email exchanges which hypes the situation and "hooks" them in deeper and deeper - especially if the scammer can get them to "chat" using the instant messaging feature of FaceBook. These scammers must manage to extort a fair number of people out of their money or they wouldn't be doing this! (So far, thank God, I not heard from anyone who was swindled on MY behalf - or at least none have admitted it!)
A couple of scam-savy friends of mine who knew I had Skype deliberately engaged in "chats" with that scammer during the first few days of this scenario and reported to me later - independently of each other - that they had asked him to Skype them. That is the point he would instantly shut off contact. So asking to have a conversation on the phone or on Skype is the acid test for knowing whether or not it is a cyber criminal behind it all!
Summary: Why I feel so very very fortunate, in spite of all the hassle!
Though I was persistent and acted fast once I realized what was happening, I still am extremely lucky to have been able to actually seize back control of my Gmail account, and subsequently create a back-up of my entire email history. Only my email address book was sucked dry, as that was the "golden egg" they really wanted to use. Most people never regain access to their Gmail account because the alternate email address to send out the password change information usually gets switched, as well, by the scammer. (The cyber criminal who messed with my account apparently forgot to do that, though he inserted his mobile phone number to be alerted by SMS if any password changes were made! I made a quick screen shot of that, in case I couldn't make my changes in time.)
Most victims, upon reporting such an incident to Google, will have their Gmail account shut down until a whole series of detailed questions are addressed on the official report which must be submitted and to which most persons can't remember all the answers - like EXACTLY the date they started their account. Thus the account is hardly ever given back again with an incomplete report. That means not only losing one's email, but any blogs linked to that email address - such as Blogger - or any valuable documents saved in Google Docs, or one's photo history in Picasa, etc - virtually everything inside the many diverse programs the Google "system" owns, which for the individual user the access to any of them absolutely depends upon knowing and maintaining control over the One Almighty Google Password!
Obviously, I was able to "fix" things myself and avoid those sorts of adverse consequences without needing to file an extensive report to Google. I then created my first email history back-up offline, then decided to let well enough alone. Now I'm much better prepared for the next round, if that happens, hoping that what I've learned will help prevent it from ever happening again. But as I said above, there is no ultimate fool-proof defense against advanced hacking since I've decided to continue with Gmail. I made that decision because there are so many features about it which I appreciate and which I think make it worth the risk. But if you are looking for live human "support" from Google if you get in trouble - forget that and go somewhere else!