Saturday 3 April 2010

What people (and especially FaceBook & Gmail users) need to know to prevent becoming a victim of advanced cyber scamming!

In personal conversations or emails with friends I've received a number of good questions following a significant recent break-in on the 28th of March when a Nigerian cyber scammer siphoned out my entire Gmail address book!

While through a combination of persistence and luck I was able to recover control of my Gmail account (though not my address book) and get a step ahead of that criminal element, there were some interesting and far-reaching emotional effects among my friends circling the globe - some of which continue: They are still periodically sending out evocative messages in batches from a fake email address which intentionally looks like mine! Thus far I have received well over a hundred concerned phone calls or emails from very worried friends all around the globe, and of course some emails that were initially sent to me I never saw!

Not because I took considerable time to research the subject and pull together some important knowledge - which I did - but mainly because what can be learned here might save the reader and perhaps some other friends lots of blood sweat and tears, I encourage you to "read more" after the jump below! (And if you think what I've pulled together may be of practical help to others, feel free to point them here.)

Question #1: Did you (Clair) have a virus or malware infesting your computer? (And could I get a virus or have my account affected by having opened that email?)

Question #2: How can cyber criminals do this devious thing and rip off passwords?

Question #3: How widespread is the problem and what can "they" (the authorities) do about it when the problem originates in other countries?

Question #4: To minimize my risk, what must I do to protect myself if I want to continue to use web-based email (like Gmail) or a social networking site (like Facebook) ?

Question #5: Why is the scam, using the email addresses they obtained, able to continue, since you were able to "recover" the account at your end? (Did they get in again?)

Question #6: What should people like me do when they get a message like that? It sure seemed "real!"

Summary (Why I feel so fortunate, in spite of all the hassle!)

Question #1: Did you
(Clair) have a virus or malware infesting your computer? (And could I get a virus or have my account affected by having opened that email?)
No. It had nothing to do with a virus or anything malicious surreptitiously installed inside my own computer's software or hardware. It's actually more sinister and less easily detectable than that! I explained in that other blog column how quite a while before this incident I had installed VERY strong defenses. All of my anti-virus, anti-hacker and firewall software programs were working quite well and had their settings properly adjusted. I double-checked that after the fact with a tech from my security company - Comodo. I also use a proprietary wireless modem owned by Virgin Broadband here in Australia and it is also very secure, so I actually have double protection as far as the hardware is concerned. I discussed all this to my satisfaction with Virgin's tech support, as well.

Thus a scammer did NOT nor will ever be able to get inside my computer or attach anything to my software. How do I know for sure? I had absolutely NO viruses and NO malware showing up afterward upon testing - twice - utilizing reputable programs from different companies.

Apparently what that micreant did to hack into my Gmail account was to obtain my password - which, by the way, was a very "strong" one - while I was online. The worst thing is, this can happen to anybody anywhere anytime if you use web-based email. So I hope you'll take the time to read what follows and ascertain if you are sufficiently prepared! Scamming passwords happens randomly and will continue to happen from "now until kingdom come."

Question: How can cyber criminals do this devious thing and rip off passwords?
During my research this past week I began to realize the many options scammers have developed, typically deploying one or more strategies from a whole tool-box of them at their disposal:

1. Detecting common password usage, that is, using the same password for multiple accounts so if cyber criminals break into one - like the social networking site Facebook - they can get into others. (That was one of my problems. I was using the same password for my Gmail account that I had been using for FB.)

While I'm still not sure exactly HOW they hacked into my FaceBook account (but I know now that its apparently quite easy for criminals to hack into anyone's FB "out there" in cyberspace) I do know the crims DIDN'T get to my account by using THIS particular new strategy which has caught so many others recently who use FB. All FaceBook users need to be aware of these vulnerabilities! I'm still trying to decide whether to use FB at all from now on, but in any case I've now established a unique password for it, knowing now that it can be compromised anytime.

2. Web phishing - users must be careful about what site one is in when typing the password to log on -- i.e. it may look like Gmail/Facebook/etc but maybe it's a false simulated site, and they are on the other side utilizing a "key logger." (I might have been the victim of having visited such a site in recent times and not paying close enough attention. I really DON'T think so, but don't know for sure.) Reading this recent report - especially the last three or four paragraphs about the recent rapid rise in criminal's advanced techniques in this regard - truly gave me "the willies!"

3. Utilizing a "key logger" - Here is one hacker's own description posted two years ago at "Hacker's Center" - their byline is "Security is our right. Hacking is our left" - detailing how he corrupts a Firefox browser add-on to actually accomplish this! (That was not my specific vulnerability since, though I have utilized Firefox I now primarily use Google's Chrome browser for internet surfing.)

4. Trojan Horse/Malicious code - installing them on a victim's computer. A user should investigate all computers commonly used as a cyber criminal might have access to everything typed at the computer keyboard. All users MUST have reputable anti-hacker software installed and firewall protection turned on, with settings properly adjusted and scheduled to regularly update in order to prevent such from happening. (I certainly did NOT have such a malicious thing going on, as I said above.)

5. Not logging out when finished using a public computer or a computer where others have access - like at work - will leave one vulnerable to hackers. (Not my situation.)

6. Browser "auto-fill" being enabled on a computer others might have access to - so they don't even need to know your password! (Not my situation.)

Network "packet capture" on a wireless or free hot-spot network. This is somewhat rare, but still possible for non-encrypted networks. (In my case, I haven't been using a wireless free "hotspot" but for those who do they need something like this to prevent it.)

8. Brute force - utilizing a "cracker" program to discover a password which doesn't have relevant strength. All users should make sure their password and secret question at Gmail are "strong" ones. In my case I already had a strong one.

Question: How widespread is the problem and what can "they" (the authorities) do about it when the problem originates in other countries?
Cyber crime is getting VERY sophisticated and it's getting more and more challenging for those organized to combat it to stay ahead of their game. For example, apparently certain Chinese hackers have been regularly deploying some of the strategies I listed above and giving Google huge "headaches" - something we are all hearing about in the news in recent times.

Cyber criminals mostly based in Nigeria have been using this particular scam they foisted on me for a number of months already. Whole gangs in Nigeria, Russia, China, and elsewhere are working on scamming world citizens 24/7 so there is not much we can do until their governments get serious about the problem - especially since the Internet does not "belong" to any one body, with no central authority to regulate this giant "cloud."

Two days after all this happened to me a Nigerian fellow quite knowledgeable about the details of how cyber scammers get started and freely operate there revealed in this very illuminating article how they do their thing! The level of official government complicity that he outlines is staggering, and the article concludes with: "Nigeria’s dreaded status in internet scam is in no way as a result of the skills of the scammers, but the inability of the Nigerian government to checkmate it, even when strong evidences could steer towards easy resolution. Our government is unserious; the regulating agency has no idea, the law enforcement agencies are compromised and the yahoo boys are having a field day until when someone who knows what to do comes on board. Till then, the message is simple; you’re on your own!"

I'll share a scary personal first-hand example to illustrate the problem: I did a search on where to report cybercrime in Nigeria and Google found a reputable site here with an entry half way down that page describing the official government agency as the Independent Corrupt Practices and Other Related Offences Commission. The annotation listed there said "The commission is at the hub of Nigeria's fight against corruption. The main duty of the commission is to receive complaints, investigate and prosecute offenders. Other duties include education and enlightenment of the public about and against bribery, corruption and related offences" and then it gave the link. [WARNING TO THE READER HERE: Do not try to recreate and clink on this next link unless you want to suffer the consequences like I did, even though it is/was a Nigerian govt website - I'm only spelling it out here now with "dot" inserted where there used to be periods in order to show how official-looking the link actually appeared at that point in time on that list: http://www "dot" icpcnigeria "dot" com ]

I innocently clicked on that link, but it only led to a generic sort of site advertising solicitors (attorneys) and other business where one then has to hire them to help report cybercrime in Nigeria. After about five seconds gazing at that, having expected to see a government website instead, my malware protector alarm came on saying someone was attempting to install a "bot" on my computer at that very moment! I then had to take extra time to run my malware scanners and so forth. This negative experience was a perfect example of strategy #7 (web phishing) in my list above, and I immediately reported it to the owner of that site, the Director of a Nigerian IT training school.

I then attempted to alert the Nigerian national police at their official site, but didn't have much better luck. When I did a search there using term "cyber crime" the only items that came up were three articles regarding recent training of police to deal with cyber crime. I selected one which had the start of an article about a recent session sponsored by the French authorities but the rest of the article was obviously completely corrupted by a hacker who put a whole layer of gibberish over it. So forget trying to report anything to the Nigerian police!

The representative of the IT school team, however, a Mr. Ayo Adediran, responded to my concern several hours with very nice letter in good English, the content of which served to restore my faith that someone in that country is listening and concerned. He promised to change their annotated list which included the link to the now-defunct Nigerian government site which he agreed no longer works because the government apparently let this domain registration expire. I of course couldn't know that when I clicked on the link based on the annotation - even though it still appears to be very official. He explained how apparently someone else has now "taken it over" for nefarious purposes.

Mr. Adediran also helpfully pointed me to a better site - the official Nigerian agency recently set up where one can NOW file a report regarding a proven incident involving Nigerian cyber scamming: the Economic Financial Crimes Commission (EFCC). I can now see that site listed here as a result of my email exchange.

A hacker doing this stuff in the USA or in Australia can be prosecuted because there are privacy laws making such hacking illegal. In February one American super hacker known as the "Iceman" was finally put away for 13 years. There are now whole sections of legal codes involving regulations for e-commerce and prosecuting online criminal behavior. In Africa, particularly in Nigeria, it's still pretty much like the "Wild West" (There you can read reports of how criminals are killing off EFCC officials!) You can read here about "Botnet wars" raging out there in cyberspace, as we speak, with different criminal elements trying to take over supremacy from one other - just like the Mafia used to do!

Question: To minimize my risk, what must I do to protect myself if I want to continue to use web-based email (like Gmail) or a social networking site (like Facebook) ?
* Basically there is not much that can be done to ultimately prevent advanced types of "hacking", but it is worth reading this summary by Google on the preventative steps that SHOULD definitely be taken: One's risks can be minimized, first of all, through heightened awareness! Taking the time to read this blog column and some of the articles I've selected (which are behind all these links in green) is part of just such a process.

* Staying vigilant about who is logging in to the account and from where remains a must, as well. (Gmail has recently begun utilizing a new tool to make this easier, but it must be watched!)

* And it will certainly help to educating oneself at "see-a-scam" (an Australian site) or use the appropriate branches of that site to report a cyber scam if this happens to you while living in Australia.

* Be forewarned - for most of us it isn't a matter of if it's going to happen, but when cyber scamming is going to happen, if the choice to use web-based email like Hotmail or Gmail, or staying involved in social networking continues. (But take heart, I am willing to continue taking that risk - given what I've learned to protect myself.)

* It is of vital importance to choose a back-up system for one's web-based "history" so that if and when they siphon off your email address book, a back-up stored in your software on the computer hard-drive can be used to restore it. I learned this the hard way and have now installed Thunderbird (open source) as my choice. (One can also use an e-mail client like Outlook or Pocomail to download the messages to the computer, or use this Gmail backup utility.)

Question: Why is the scam, using the email addresses they obtained, able to continue, since you were able to "recover" the account at your end? (Did they get in again?)
Some people are still responding to last Sunday's bogus Gmail message, even a week later, because they were traveling or aren't in the habit of reading or responding to their email very quickly. And if they do their message is coming straight back to me because I regained complete control of my own email account 20 hours after it happened. Thus I'm still getting personal calls and emails related to this (as are some of my extended family members back in Indiana who continue to receive such) wondering if I'm OK and back to Australia from London yet! (And you should see some of the "interesting" reply messages that I've seen, filled with very "colorful" language some scam-savy friends thought they were probably sending straight to those cyber criminals - and normally would be!)

I think my scammer divided up the total 1900+ email addresses which my Gmail account had automatically saved up over the last 7 years. Why did I have so many? Gmail automatically saves ALL the email addresses from other people's group lists that I happened to be on, so when people forward stuff with "reply all" - listing everyone in the "to" section instead of the "bcc" section - all those addresses come into my box, as well. Which makes for a treasure trove of addresses when scammers "harvest" it - and is the main reason why no one should be sending out group email that way!

My scammer sent out his false message in batches of up to 500 each day from a fake email address he's set up at Yahoo: looks similar to my gmail address but obviously isn't. Sending out more than 500 automatically shuts down the bogus email account when the email service concludes someone is sending out "spam" so that's how the cyber scammer stays under the radar. I can't turn that Yahoo account off because I don't "own" it and thus don't have the password. (I just realized today I need to tell Yahoo to shut that sucker down!)

Question: What should people like me do when they get a message like that? It sure seemed "real!"
Either note it as a "phishing" attempt - or do nothing and move on. Too many people are inexperienced in discerning scam messages and considered what they received to be a real message from me. First of all, it was filled with typical West African ("engrish") grammatical errors and phrases. The whole thing is illogical because seasoned travelers (like us) usually have other ways of tapping help and financial resources right away if such a thing happened - e.g. I would have immediately contacted my credit card company and children or other relatives by phone - not friends! Also, I wouldn't (and I would hope that most educated victims of a real mugging would not) write a message like that, even under extreme duress, although several friends said they thought about how being mugged at gun point and perhaps forced to composing a hurried email SOS message on a smartphone might affect one's literary style! Thus the scam becomes emotionally "effective."

I could go on and on about why, from a logical standpoint, it should be obvious it is a scam, but since such a message creates an emotional charge the worst part from what I've read is that many people out there receiving something like that will act very irresponsibly and actually try to send money in response without independently verifying the situation with "the victim!" However, the biggest give-away on this one is that the initial message gave no information on where to send money!

So, that message was clearly designed for one thing only: to elicit a startled email response from my caring friends, which results in receiving a follow-up email, then to "engage" the potential victim in further email exchanges which hypes the situation and "hooks" them in deeper and deeper - especially if the scammer can get them to "chat" using the instant messaging feature of FaceBook. These scammers must manage to extort a fair number of people out of their money or they wouldn't be doing this! (So far, thank God, I not heard from anyone who was swindled on MY behalf - or at least none have admitted it!)

A couple of scam-savy friends of mine who knew I had Skype deliberately engaged in "chats" with that scammer during the first few days of this scenario and reported to me later - independently of each other - that they had asked him to Skype them. That is the point he would instantly shut off contact. So asking to have a conversation on the phone or on Skype is the acid test for knowing whether or not it is a cyber criminal behind it all!

Summary: Why I feel so very very fortunate, in spite of all the hassle!
Though I was persistent and acted fast once I realized what was happening, I still am extremely lucky to have been able to actually seize back control of my Gmail account, and subsequently create a back-up of my entire email history. Only my email address book was sucked dry, as that was the "golden egg" they really wanted to use. Most people never regain access to their Gmail account because the alternate email address to send out the password change information usually gets switched, as well, by the scammer. (The cyber criminal who messed with my account apparently forgot to do that, though he inserted his mobile phone number to be alerted by SMS if any password changes were made! I made a quick screen shot of that, in case I couldn't make my changes in time.)

Most victims, upon reporting such an incident to Google, will have their Gmail account shut down until a whole series of detailed questions are addressed on the official report which must be submitted and to which most persons can't remember all the answers - like EXACTLY the date they started their account. Thus the account is hardly ever given back again with an incomplete report. That means not only losing one's email, but any blogs linked to that email address - such as Blogger - or any valuable documents saved in Google Docs, or one's photo history in Picasa, etc - virtually everything inside the many diverse programs the Google "system" owns, which for the individual user the access to any of them absolutely depends upon knowing and maintaining control over the One Almighty Google Password!

Obviously, I was able to "fix" things myself and avoid those sorts of adverse consequences without needing to file an extensive report to Google. I then created my first email history back-up offline, then decided to let well enough alone. Now I'm much better prepared for the next round, if that happens, hoping that what I've learned will help prevent it from ever happening again. But as I said above, there is no ultimate fool-proof defense against advanced hacking since I've decided to continue with Gmail. I made that decision because there are so many features about it which I appreciate and which I think make it worth the risk. But if you are looking for live human "support" from Google if you get in trouble - forget that and go somewhere else!



  1. As of an hour ago, I was finally (after seven days) sent an email by Facebook and allowed to reinstate my account by establishing a new password - my FB account is restored. The first thing I did there was post a link to this column hoping my FB friends will become better informed regarding how to protect themselves from going through what I did!

  2. Wow, thanks for all the helpful suggestions, Clair. I guess I need to come up with some different passwords!

  3. Thanks, Clair. That was very helpful. I did detect the poor grammar and different style of writing. That was so weird!