Monday, August 27, 2012

Scammer how-to, or so sad the response

My wife is VP in our elementary school PTA, assisting this year's PTA president whom I will call "P".  Recently P mistyped the e-mail address of one of the PTA members, "J1", and subsequently drew a complete stranger into their internal conversations.  I will call this stranger "J2".

J2 proceeded to post Reply All messages joking that they should send him/her all the petty cash, or delete all those stupid student records, and similar annoying interjections.  P failed to recognize this situation, and rather than broadcast to all the PTA members of the error and that they should delete that original mail thread and correct their addresses for the original J1, she only responded back individually to this interloper apologizing and assuring them they would not get more messages.  Unaware of this trouble, various PTA members continued the conversation with Reply All, and soon J2 reappeared with more rants.  Then my wife noticed that J2 had included a new e-mail in the thread that was identical to P's e-mail address, except that it included a hard-to-notice letter.  Something like "myemaiil@yahoo" or "myernail@yahoo" instead of "myemail@yahoo".

About 4 minutes after a particularly nasty retort by J2, P's Yahoo address spammed everyone in her contact list and the PTA with a plea for money.  Hacked!

The letter from P now described how she was trapped in London after the recent Olympics and needed cash to get home.  This is a classic scam to fool the victim's friends to wire money to the attacker.  Meanwhile, P was still here in the U.S. and completely unaware of the danger she and all her friends were in.  My wife has learned some security tricks over the years and she immediately knew that P's Yahoo password was no longer her own.  She tried vainly to reach P several times and decided to begin responding to PTA business since P seemed off-line and probably would be quite busy.  In her voice messages and SMS texts to P, she offered to send me over to help sort out the security issue and its fall-out.

Eventually P did call my wife back, but only to berate her at length for running business that the PTA president is supposed to do, not the VP.  Thanks for nothing, huh?  P then worked with Yahoo to regain control of her account and discovered that all of her Contacts and many years of Inbox data had been forcibly erased.  This is another part of this scam, to prevent the account owner from reversing the damaging scam broadcast.

But rather than call us up, or notify anyone that the prior message was bogus, P went back to her everyday business.  She asked the VP to forward all prior PTA messages so she could catch up.  Then she called my wife and yelled at her for the things that she read in the messages, even though they had been posted by other officers.  Apparently she was reading the threads in reverse order and felt the sender (my wife) had been posting these messages rather than forwarding them to her as requested.

Added to this mix, P never notified the PTA members of this event, nor apologized for the bogus broadcast, or even warned the PTA to drop J2 from any message threads.  So one week after all this, I fully expect another incident with P and/or J2.  And I wonder if J2 was the scammer who broke into her account as revenge for the mail mix-up?

So sad that you can see this happening and be rebuffed so badly.  It may be a long year at the PTA.

For my non-security friends, here is the scam and the recovery method.

* Acquire or break the password on a victim's web mail account.  Send their entire Contact List a well-formulated letter explaining how you are traveling and have lost the means to come home.  Ask for money transfers, and provide either the wire details or provide a toss-away e-mail account to respond to for more instructions.  Immediately purge all mail and Contacts from the victim's mail account and log off.  Never have to log back in.  Monitor toss-away mailbox for incoming victims.

* Realize a scammer just used your e-mail account.  Contact the ISP and recover your account credentials.  Reset the password to something very tough, and ask the ISP if they can add some additional security features to it, even if it makes it more challenging for yourself to log in.  Consider doing this with all your on-line accounts that use this mailbox as your point-of-contact.  Restore your Contacts list however possible, whether from the ISP, your own back-ups, manually from other sources, or by asking all friends in your social network to forward their e-mail addresses once more.  Be sure to broadcast however possible that your account was hijacked, but that it has been resolved.  Hopefully you did have a Contacts back-up, perhaps on your Smartphone or the Cloud or a local mail client on your home PC.

~~~~ Habeas Data

No comments:

Post a Comment