I'm slightly peeved with these toe-rags as I've just spent several hours helping a friend to recover from an e-mail account hijacking.
Over the last year or so I must have had a dozen e-mails from friends and contacts with the usual sob-story that they're in Nairobi/Istanbul/Cairo/Casablanca or wherever and have been robbed/lost their money and tickets/been arrested and need some financial assistance. Most of them have been yahoo or btinternet accounts. It's a well known problem and seems to be almost inevitable for yahoo mail users, even the careful ones.
This one was unusual as it was a gmail account, which tend to be a lot more secure (or can be).
The hijacker was a bit nastier than usual as well.
The sequence of events:
- They managed to log in to the gmail a/c
- They changed the password
- They set up a 'reply-to' to a yahoo a/c with the same user name that they'd just set up.
- They sent out the begging letter to all the contacts in the address book
- Then they deleted all the mail in the a/c and emptied the trash - although they left the address book intact
- They also managed to get into his Facebook a/c and changed the password on that too.
Friend then gets lot of calls and e-mails telling him he's been hacked, and made the mistake of googling for assistance, and ended up talking to some dodgy company in India who used Teamviewer to control his machine and showed him the terrible things that were there and frightened him somewhat. (They weren't there I hasten to add). He agreed to pay them the £130 they wanted to clean up his machine. Luckily the bank stopped the payment! Total scammers, and presumably the same nice folk who phone little old ladies and claim to be from Microsoft and offer to remove the virus from their computers. What are the Hindus like for punishment in the after-life?
He then reported the issue to Google and got his password changed using the 'security questions' so he had his account back, minus all old e-mail.
He also reported the matter to the police (which will undoubtedly result in a series of worldwide dawn raids and arrests within days, if not hours - well, possibly in some parallel universe)
He also got all his credit cards changed.
Wisely he then asked me for advice and we've spent several hours sorting things out.
For reference, this is what we did.
- Firstly, check his gmail a/c to see if any other nasty surprises had been left, like filter, forwarding etc. Only obvious thing was that a reply-to address had been set up, and has now been removed.
- Then contact Google to see if they can recover his deleted mail. There's an excellent summary of how to report problems and get mail recovered at
https://support.google.com/mail/answer/78353?hl=en
- We filled out the form and within 10 minutes the mail was all back. Serious "thank you very much" to Google for such fast work. (I suspect they have to do it quite frequently...)
- Looking at the mail discovered some messages from Facebook about changes of password and e-mail a/c (to the new dodgy yahoo a/c), so then had to do a forced reset of the FB password and e-mail a/c. Not too stressful, although the option to recognise people in photos was useless!
Meanwhile we're wondering how it had happened in the first place. Checked that AV was up-to-date on friend's main laptop and ran full scan, completely clean. Ran different AV to doublecheck, and about to run Spybot as well. So probably not something as obvious as a keylogger. If they'd done that I think they may have tried high value attacks like bank accounts rather than a standard scam that's unlikely to work, and grabbing FB contact lists.
We chatted about his recent activities. Did he use an internet cafe or a strange computer? Could someone have shoulder-surfed when he logged in in public? And he travels a lot, in some slightly dodgy places (including Nairobi - where he met a nice lady who offered him TWENTY SIX MILLION US DOLLARS). He travels with an old laptop, and remembers using some unsecured public WiFi spots. We decided that was probably it - shoulder-surfing or unsecured WiFi with some nasty goings-on on the server.
That was actually quite encouraging, as he'd been worried that someone had hacked his actual laptop - but it doesn't seem to be that. (The nice lady in India who should go and get an honest job suggested that someone had hi-jacked his IP address - I'm not sure how that would work.)
So, we then looked at how to stop it happening again.
First off, we turned on Google 2-factor authentication. This is a seriously important step, and really everyone with a google a/c should use 2-factor. It's simple - when you try to login from an unfamiliar computer google will prompt you for a second, one-time pass code. It can either send it as an SMS to a previously agreed primary phone, or it can make a voice call to the phone, or you can install an app on a smartphone that generates a code that changes every 60 secs (like the good old SecureID tags that I used for remote dial-up loggin to Eagle Star many years ago). Some other services offer 2-factor, and everyone should use it whenever possible.
Then we looked at the issue of possible hi-jacking of a WiFi session. He's now going off to install VPN software (I suggested Hide My Ass Pro) which will create a secure connection over even an unsecured WiFi network. I've used it, and it works with Windows and Android devices, and I assume a whole lot of others. It has other uses too, but well worth the $60 p.a. (special offer) if it prevents a repeat of something like this.
That seems to be it. I'm not sure how effective it would be to report the dodgy yahoo a/c to yahoo.
We had a look at the gmail account history, to see if we could get an IP address for the soon-to-be-spit-roasted one, but we'd left it too long. Pity. Can one book a drone strike on an IP address anyway, or do they want a grid reference? (That's a question for you, NSA)
A useful lesson (or two) to us all. Mainly a) use two-factor authentication and b) don't use unsecured WiFi
Hopefully this particular scammer/hacker/little shit will shortly have an accident that wipes out all their savings on medical bills, without actually being life-threatening. May they live a long and miserable life of anticipation of the hell-fires that await them when DEATH finally comes to take them.