Friday, November 13, 2009

Teh internets, they haz the scammers

I just had to send out the following email because someone close to me had their email and facebook accounts compromised:

Hi everyone,
You may have received a strange email from [redacted]'s email address this morning ([redacted]

[redacted] is not in London, and she has not been robbed at gunpoint. She is perfectly fine.

Her account has been stolen by a scammer with a well known scam

This scammer has also taken control of her Facebook account, and is attempting to get her friends to give him/her money. It's possible that the scammer might access other accounts to try to contact people and get money.

Please ignore any requests coming from [redacted]'s accounts. If you've given any information to anyone pretending to be [redacted] in the past 12 hours, consider changing passwords as necessary.

And please secure your own passwords.
There are lots of articles about securing your passwords, but at the VERY LEAST: do NOT share a single password for your important accounts (gmail, banks, etc) and anything else. In particular, don't share the same password with Facebook, as it is very easily phished.

I don't know who was in [redacted]'s address book, but I'm emailing everyone I think *might* have been. I apologize if this reaches you in error

- Hide quoted text -

On Fri, Nov 13, 2009 at 4:19 AM, [redacted] <[redacted]> wrote:
I'm sorry I didn't inform you about my traveling. I am presently in London, United Kingdom and I'm stuck here.
I was mugged on my way to the hotel and my money,credit cards,phone and other valuable things were taken off me at gun point.
I need you to lend me some money , I need to sort out my hotel bills and get my tickets straightened out .
I would be glad if you can help me and I promise to pay you back Immediately I get back home .
Waiting to hear from you.


PLEASE, please, if you ignore all the rest of the advice about password security, at least do this.

I personally dislike Facebook in particular because it so often asks you to allow account access for stupid shit, and it is so common to get messages (emails) which you click to go to Facebook and then it asks you to log in. With your password. From a link in your email. How many times do you have to do this before it becomes so routine you forget to be careful?

I am not a security expert by any stretch of the imagination, but I feel this lulls Facebook users into a sense of complacency in giving up account information at the drop of a hat.

I don't know for sure how this hack happened, but I would put money on this:
  1. the user was phished with fake Facebook request to log in, providing the hacker the user's account credentials.
  2. the hacker used those credentials to log into Facebook and found the user's email address and maybe other info.
  3. the hacker guessed (because this is unfortunately common) that the user might use the same password for their other accounts, and successfully logs in to the users other accounts (email, etc... anything that's listed in Facebook! and then anything that's listed in the other accounts they are now accessing!)
  4. the hacker changes secondary email addresses and phone numbers that are in each account which the user could otherwise use to recover their password. Now the user is completely locked out.
  5. the hacker starts spamming/phishing all contacts in the users various accounts

It is not that difficult to get a user to give up a password. Therefor, don't re-use passwords, so if you do make a mistake, you won't be handing over the keys to everything you own, all at once.

UPDATE: ok, this is not the one I was thinking of, but I found a funny transcript from one of these scammers chats here.

No comments: