This year's birthday began with some puzzling notifications in my email box. The first emails came from Yahoo, with timestamps of around 6:30 AM. "Hey, we noticed that you just changed your password. Did you mean to do that?" I hadn't changed my password -- I was still asleep at 6:30, and only just got up at 7.
I tried to log in to Yahoo, and received a "wrong password" response. I changed my email password, logged in, and found that all of the messages had been deleted from my inbox and folders. Next stop was Yahoo's help, where I contacted Yahoo, explained that I had probably been hacked, and specified when I last saw my inbox intact. Yahoo sent a canned email response, but also quickly restored everything to the state it had been when I saw it on the previous night.
The same thing had happened with my Gmail account. Someone had hacked into it, changed the password, and deleted all of the emails and folders. As it turns out, Google does not restore deleted messages from backup. Everything I had in that account -- including all of the stuff I'd been working on for Shaggy Dog Stories promotions -- was gone forever. At least the account was mine again when I changed the password.
Next, I received notification that my Facebook account had been disabled. I tried logging into that, and failed. My password had been changed there, too.
Then the calls and emails started coming. "Are you OK? Where are you?" Confused, I answered "I'm at home. Why?" Some of my friends forwarded this to me...
I'm writing this with tears in my eyes, I came down here to Wales Uk for a short vacation unfortunately i was mugged at the park of the hotel where we stayed,all cash,credit card and cell was stolen from me but luckily i still have my life and passport.i've been to the embassy and the Police here but they're not helping issues at all and my flight leaves today but am having problems settling the hotel bills, and the hotel manager won't let me leave until we settle the bills,i'm freaked out at the moment.wondering if you could help me with a quick loan,i can pay you back once i get home.Apparently this email had gone out to everyone I ever met -- the sister and stepmother of my high-school boyfriend, whom I hadn't seen or spoken to since approximately 1981, my favorite headhunter, a couple of former bosses, several Yahoo email lists, Greg, a high-school classmate on a business trip to Dallas... well, pretty much everybody. Many people realized that I have dear friends in Wales, so they believed the story -- at least for a moment. One person, with whom I had exchanged a couple of casual emails once when she was looking for a puppy, sent me back a "How dare you?" email. Apparently she thought I had some nerve to be emailing her for money. I had to explain that I'd been hacked -- had to explain it over and over and over again. I even had to set that as my status on LinkedIn, since I couldn't get into Facebook.
The more astute among my friends and acquaintances -- including many fellow writers and most of my former editors -- figured that something was afoot, since I hadn't lost my ability to use punctuation overnight. (Even my text messages use proper spelling, capitalization, and punctuation.) The originating email address was my3seadog@yahoo (a new account that looked like my Yahoo email, only with letters omitted). Same with saltyshepdog@gmail.
My friend and former co-worker Joel, who had also been pinged through Facebook chat by someone pretending to be me, pretended to play along. Here's what he sent back to the impostor:
Karen, I just checked email and saw your horrible message. Did you get the help you needed? If not, please give me a call at ###-###-#### and we'll work something out."Bizarro Me" wasted no time in getting back to the fish s/he had apparently hooked:
Glad to hear back from you.i wish i could call you but i don't have access to phone or any place i can get phone to receive call. It has really been embarrassing for me $1,850 USD. will cover all my expenses but i will appreciate whatsoever you can afford to wire right now, I promise to refund it to you as soon as I arrive home. You can wire it to my name from a western union outlet around. Here are the details you need to get it to me
Address:-2 Park Street Cardiff South Wales United Kingdom CF101ET
I still have my passport so I can use it as identification once you are done, kindly e-mail me the western union confirmation Number MTCN ..let me know if you are heading to the western union now?
(2 Park Street in Cardiff appears to be the address of the local courthouse, according to Google Maps.)
Joel and I both called Western Union to report the situation. Western Union's security people informed us that these crooks were well-known in the UK, and although they were outside the reach of the USA, they were known to law enforcement across the pond. Also, a recipient of wired funds could show up with a fake ID anywhere to a Western Union office anywhere in the country to claim the money -- so a bogus address really didn't matter. The tracking number simply allows people to see when the funds are available to be picked up. Apparently criminals love Western Union wire transfers because they're so trusting. The security folks put a stop on any transactions involving my name, but there were no guarantees that the local constabulary could immediately show up and arrest someone who could be anywhere in the country, and who wouldn't appear unless real money had been wired. Joel asked whether the criminals would accept PayPal -- but no. PayPal is too secure.
Meanwhile, "Bizarro Me" insisted that "my" cell phone had been taken, but the laptop had not -- hence the ability to send emails and Facebook messages, but nothing that could positively identify "me." Apparently there were no other phones anywhere in Wales, and "I" was mighty insistent about an inability to call. (Apparently Skype was also a no-go.)
In the meantime, Facebook could not have been less helpful. All support emails are automated; I didn't exchange messages with a single human being. No one answers the phones, even the ones listed at gethuman.com. They don't even take voicemail messages. All I received were multiple copies of the same "Your account has been disabled because you were scamming Facebook" email.
Joel reported that "Bizarro Me" was positively salivating at the chance to reap some reward, and kept emailing him every few minutes asking where the money was. Joel replied that his wife was out at the bank getting money, and he would send it as soon as she got home. Eventually, he tired of the emails and told the crook that instead of getting the money for me, she had wired it to a friend of hers who had also been "stranded in Wales." "Bizarro Me" began to squeak for "any money at all," but Joel cut "me" off. Apparently "Bizarro Me" has no sense of irony.
It took me over three weeks of wading through canned responses to get my Facebook account restored. Even after watching "The Social Network" and reading that the company is buying the old "Sun Quentin" campus in Menlo Park, I'm astonished to see that any human beings work there at all. Until the day my account was finally restored, I had never actually made contact with any.
To this day, I'm not entirely sure how the hackers made their attack, but my theory is that they invaded Facebook first. Facebook gets hacked all the time -- presumably by bored sixth-graders -- but the company robots have no conception of network security. Once inside, the hackers were able to send chat messages to all 1400-plus of my Facebook friends and gain access to the email addresses I had configured in my profile. From there, they were able to access the online address books for those emails, and send the infamous "tears in my eyes" email to everyone on the planet before deleting all of the email messages in my inbox.
I've been online since about 1986 or 87 (not counting a CompuServe account I'd had a year or so before that) and had never been hacked, never had a virus, never succumbed to a phishing scheme... nothing. Most of my computers have been Macs. This doesn't insulate you completely from the world of bad intentions, but most hackers are still too lazy to write viruses for Mac OS. I used to enjoy getting PC viruses in my email inbox on the UNIX boxes at work; this allowed me to read the scripts in the virus files and marvel at the sheer chutzpah of people who really should take up better hobbies. (I hear stamp collecting is very popular, as is model railroading.)
Here are some things I've learned from the experience. I hope you never need to find them helpful.
- Change your passwords. If you don't want to do it even once a year, at least make them hard to guess. Adding numbers no longer makes things more complicated; you'll want to throw in some punctuation and/or symbols, too. If you'll have trouble remembering them, write them down on paper and keep the paper in a secure place, or use a utility like 1Password. Make up special passwords for your bank account and credit card accounts, and don't use those with anything else, even other bank accounts. Most Facebook hackers just want quick/insecure money, but don't be bait for the real identity thieves, either.
- Don't use an online email account (such as Yahoo, Gmail, or Hotmail) with social networking sites. There are hackers who "specialize" in hacking those accounts. Use the email address that comes with your broadband Internet (cable or DSL), or get an email account from an honest-to-goodness ISP.
- If you value the information in your online email accounts, then save it offline. Yahoo will bail you out if something goes wrong. Google figures that you're on your own.
- Don't use online address books, except secured ones like MobileMe. Use the ones stored on your computer instead. It takes 2 more seconds per email, but you won't have to spend days cleaning up after an attack.
- Facebook and other social networking sites are all about interconnection. Make only the connections you will actually find useful. Don't click on links to videos or other messages that appear in your feed; go to YouTube (or whatever) and search for the video if you want to see it. Remember: the more capital letters, OMGs, exclamation points, or .info domains you see, the more likely the link is to be bogus -- if not evil.
- Delete games, polls, etc. that you're no longer using.You never know who will come across a dead poll with loads of contacts in it, and decide to make use of it.
- Ignore invites for games you don't want to play or friend requests from people whom you don't know, or who are perfect strangers who have no photos and no other friends.
I hope this lengthy tale of woe prevents the same thing from happening to you. My sin was laziness. It won't happen again.
By the way, if you are ever robbed while traveling and need help, the staff at a decent hotel will never hold you hostage -- and they will let you use the hotel phone to call for help.