Hacked!! London Scam

It was an extremely nerve racking day for me, and I am sure for many of you, my friends. Some of you I have met, Some I have corresponded with, but I am thankful for the responses and concern from all of you. But let me get to the story, so that others can figure out how this unfolded and hopefully take preventive steps for the future. Now remember that even computer proficient people can be negligent, like me, so hopefully this will serve to teach even the clever ones.

8:00 – I park the car in a secure garage; using my entry card, walk through many double glass doors, using entry cards and into my office, a secure building. Security is not lax in any way and everybody is a bit more aware after recent fatal shootings at one of our factories. I believe all is well and secure; another grueling day at office is about top start. Little did I know how it was to unfold.

9:00 - I am at work, logged into the computer and scrolling through my mail this morning, checked it logged out, but I could not log back in. I was a bit mystified, so I tried logging back in again and again, only to note that it would not accept my password. I tried an alternate gmail which worked. I went on to gmails password recovery page, which stated that they had sent instructions to the yahoo address which was listed for the recovery purpose. But that yahoo mail account had no incoming mail in that account. I was mystified, wondering if there was some goof up at the Google mail servers, but then the other mail account was OK!!

9:30. Then came the first phone call from a long lost friend in Dubai, he started asking if we were safe and if we were OK and not injured. I was flabbergasted. He went on to explain about an email he had received from me stating that I was mugged in UK and needed money to fly back in the next three hours. Soon enough, another friend called me from Switzerland asking me if I was Ok and not badly injured. I was shocked, and he explained me about the same mail he got from me.

Now I started getting worried. In a flash I knew that the account was hacked and the scam was on. The scammer was trying his best to get as much as he could in a short time window before the security systems closed all doors. I wanted to get word out to everybody that it was a scam, but how would you do that if your contacts were all in that gmail account? Mistake # 1, lesson learned #1. I remembered then that the recovery mail had been sent. But you are deceived by the Google mail saying it has gone to an @yahoo.com account. You are not told which!! Remember this for now as Lesson#2. And I knew I was no longer in a secure domain, but in a very unsecure cyber warzone, the underworld of the hackers who had taken over my Google accounts.

I was also worried since the account was linked to an AMEX card. I feared that that too was getting hit simultaneously, but I dreaded logging in fearing that the computer itself was probably compromised with key loggers and the such. But then I decided that I could not handle two attacks at the same time, on the mail side and the AMEX side. So I crossed my fingers and left the card and concentrated on recovering the mail account.

I tried frantically to get to gmail recovery services and got to the next step i.e. the Account recovery form ARF which asked me a lot of precise information such as 5 frequent mailers, five folders in the gmail account, details of other linked accounts, which dates they were started, the date on which the gmail account itself was started, a copy of the invitation used to start it and so on. It was a daunting process. Your troubled and racing mind can hardly comprehend the issue at hand and now this kind of detail from memory is not so easy. I filled it up step by step, racking through my the old grey cells to get to some of the details.

Meanwhile what was going on without my permission was going on, the hacker was at work but my attempts were concentrated on regaining control over the account and to stop the nonsense before he tricked somebody.

As this was going on in office, my wife and I were receiving calls from across the globe from caring friends asking if and how they could help. I was so embarrassed; many were people I was talking with after ages.

The first input came when a friend mailed a copy of a mail that I had supposedly sent from UK. It read as follows

My Predicament!!!

I'm writing this with tears in my eyes, my family and I came down here to London, England for a short vacation unfortunately we were mugged at the park of the hotel where we stayed, all cash, credit card and cell were stolen off us but luckily for us we still have our passports with us.

We've been to the embassy and the Police here but they're not helping issues at all and our flight leaves in less than 3hrs from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills.

Am freaked out at the moment.

Some who knew me very well saw through it, for it was not the kind of language I used. Phrases like ‘am freaked out’, and ‘tears in my eyes’, ‘London England’ were dead giveaways. Some knew I lived there, had friends a taxi ride away, so why should I send a mail to somebody in Dubai or Singapore?. Also if you were sending messages to people that close to you, you would not say ‘my family’. You would use their names or you would tell them to call you at a number or meet you. This is Lesson #3

Lesson#4 to all readers – nobody who is mugged has the sense to send out such precise messages with dotted i’s, crossed t’s and comas and full stops. Then again, if the hotel manager and the police knew the problem, you cannot leave in a flight in 3 hours. So disregard urgent action needs coming from emails, People call.

Lesson #5 – What on earth does one have to do with an embassy and you know how helpful they are and how much times it takes.

10:30 I was racing against time. I knew that there was an outside chance that somebody may do something, like wiring money or something. So I was checking my backup mail account for replies from Google. Alas, they are not available on the phone to talk you through a problem. The first reply came saying they could do nothing about restoring my a/c or blocking it with the ARF information provided. My hopes were crushed.

Another friend then called from UK. He had more news. He replied the message stating that he was near London and could help (a very interesting turn of events as this pal and I had never met, so he did not know my voice or face). Where was I? The hacker replied. Mayflower hotel London (I do not remember if that was the name, but suffices for the moment), that I was supposedly in a hurry to catch the flight, he needed the money urgently in a Western union account, details provided in the mail. My friend called the hotel to hear that nobody with my name was registered there. So he found out that it was a scam. Then he hunted down my number in US & called me to explain what was going on across the (pond) continents.

The hacker, was operating out of Nigeria. It was past noon by now in Nigeria. His time window had narrowed, the possibility of success depended on some soul wiring him money into WU and providing the MTCN. I was praying fervently that nobody did, as I worked the keyboard frantically to get my account back, filling the ARF again, going deeper and accessing dormant grey cells in my brain for dates when various accounts had been opened, connecting events and locations and drawing timelines.

A friend in Sweden called to see if he could help. I explained the issue and wished him Godspeed as he was driving out out for his vacation. Checked my alternate Google account again, no good news. Dusk in Dubai - My friend in had sorted out the issue and settled for dinner, Night time in India - my friends there were frantic some calling my mother in law in Calicut to find out what was going on. She has talked to her daughter just yesterday, they were not in UK, but are very much in US, she explained. One of then offered to inform some others he knew in our circle that it was a scam.

I had another issue, for I had a home inspection due in 10 minutes. So got into the car and sped through, fortunately not breaking any rules, reaching home in time. The last time I did that was when I drove fast to close the home doors after realizing it was left open. I got a speeding ticket, but that is another story. The inspector was late. But as I logged into the account, I saw a message from Google with instructions on how I could change the password and reset the account, which I did. I sent out the first message to a few people. But the contacts list was lost, so it was laborious inputting each email ad. But then, In the euphoria I had just logged in and reset my account and changed the password

MISTAKE, for the hacker creep was ready for that and waiting in, Nigeria. Now how did I know he was in Nigeria? That will be clarified later, and well, he knew exactly how to take care of this too.

1130 It was now 2 hours and counting after the hacking.

The front bell rang. The home inspector came and as he saw me, his eyes literally popped out. He said what are you doing here? We just read about your tragedy in UK. My boss & me who got the same mails were wondering and hoping you are physically OK…Wearily I explained that I had been hacked. I knew I was stuck for the next 2 hours with the inspection, but then I was glad I had changed the password. Nevertheless, I was on tenterhooks but trying to focus on the points the builder had to take care of. Pat the inspector was patient, but I was not. My nerves were jangling, my senses keen even though the PW had been changed.

Finally he was done and left. I jumped on to the keyboard and logged back into gmail, but it would not let me do that. Again the message in red – Wrong password. I was furious and like an idiot snapped at my wife who was asking what I wanted for lunch, while trying to figure out how & why this new turn of events had taken place.

It dawned on me, suddenly that as the bell was rung by the inspector, I had forgotten to change my recovery email address which had been hacked to another yahoo address. Google would reply me saying instructions were sent to the yahoo ad and I would think it was mine, but it was cleverly mimicked by the hacker to give you that sense of belief at least for a while. He needed as long a time window as possible. I was furious with myself, I had restart the whole ARF process again of providing all the details to Google, which I did and sped back to office again, hoping that some cop with a radar gun was not waiting behind the shadows.

Meanwhile the Nigerian a&*^&hole was communicating with friends of mine. Some asked him to call their numbers. Some asked him what was going on he replied thus

Glad you replied back, Am not to good at the moment and i have no
access to phone, this is the only way i can get to any body. We have
nothing left on us right now and we're lucky to have our life and
passports with us it would have been worse if they had made away with
our passports.

Well all we need now is just £1,231, to pay for the hotel bills and
also take a cab to the airport, if you can help out, you can have it
wired to my name via Western Union outlet i'll have to show my
passport as ID to pick it up at the western union outlet here in
London and i promise to pay you back as soon as we get back home.

Here's my info below.

First name Last name
London United Kingdom

As soon as it has been done, kindly get back to me with the confirmation number. Let me know if you are heading to the WU outlet now??.

Night in India - Joe was on the train from TVM to Trichur when he saw the first mail, he mailed his friends in UK. One who worked in Radisson started checking if I was booked there. Another mailed me asking me to call him. But I did not of course get those mails. A friend whom I had never met offered to call the hotel and settle the bills with his credit card instead wiring money into the WU account. All these mails surfaced later.

Back in the office, I logged back in, and in a few minutes found the welcome sight – the mail from google about the reactivation. This time I logged in and did what I had to do, step by step.

The inbox, sent items and trash were as it was in the morning, all incriminating evidence removed. But all contacts were lost and saw that the hacker had left behind a forwarding yahoo address for all incoming mail, deleting them from Google’s server as they hit the account. But I went about my tasks.

Set up for secure https.
Found that all mail was being forwarded to an yahoo account.
Trash cleared up, contacts gone, but all the rest in there.
Found a new IP addresses of the person who had hacked –checked it – even though it said United States (NY) to put you on a wrong track, it was listed in Nigeria when I dug deeper. It was a well-known black listed scam spam harvester.
Changed my alternate ad, put a strong alphanumeric PW.
Changed secret question
Removed pop3 and IMAP checks
Downloaded the gmail back up program, but that does not work behind a proxy – so deferred action to evening.
Went to yahoo mail,. Changed PW, checked all settings & strengthened them.

130PM – I had regained control of my account. I had sporadic mail input after that, some who were responding, plus sending out mails to more people for local assistance. But the damage was done; I do not even know the events that transpired in those 3 hrs save the few mails I got copies of. Some corresponded asking if that was me and the hacker sent out replies saying yes, indeed, but help was urgently needed. Because I got it back quickly, I believe that the rest of the mail database was not downloaded or compromised.

The hackers window was 3 hours which he stated as the departure time of my flight. So considering a check in 1 hr before a transatlantic flight, he played the game for 2 hours with each replier and then closed and cleared the tracks.

Questions remain – why did they choose me, how much work had he done to find out my first & last names, their correctness, how he determined after reading mails that I used my last name in certain cases and so on. But he made one mistake, for usually these hackers know if somebody is travelling by tracking their IP address through the hacked gmail account. Based on the location he words the mail as mugged in ...What made him think I was in UK?

The afternoon was spent reading up on the scam on the net and answering mails and phone calls of the debacle.

Things to do with your gmail account – NOW!

Account Security:
Settings -> Accounts and Import -> Google Account Settings -> Change Password [pick a new secure password]
Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options [verify secret question, SMS and recovery e-mail address]

Potential Spam:
Settings -> General -> Signature [make sure nothing as been added]
Settings -> General -> Vacation Responder [make sure it's disabled and empty]

E-mail Theft
Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address]
Settings -> Filters [no filters that forward or delete e-mail]
Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]

And finally - If you did get a mail like this - Don’t wire money. If you’re asked for your bank account number or are urged to wire money for any reason, it’s likely a scam. Cons prefer wire transfers because they are fast, and funds can be picked up easily and just about anywhere.

How does it work with WU? Well, it appears that after you wire money and provide the MTCN, they can just go pick the money with or without an ID. Sometimes an ID is asked and they create one for that purpose. This means that it is a complex network.

Later that night I backed up all the mails in the gmail account using gmail backup’s program. Checked my computer for Trojans, keyloggers etc, none found. So it was a random brute force break in. 24 hours later, I started getting the red flag on top of the Google window saying they had reason to believe that my account had been compromised. But that was a full day later!!

See what a Google person had to say about that earlier about this feature. I read than that it was also active on facebook these days.
Another blog that details this attack , Why do they use western Union

It is the end of the working day for me, I feel drained, lots of my stuff is still hanging out to dry as they say here and I feel downright foolish and embarassed. My privacy has been violated by an idiot who used brute force to break my account, though I admit (in spite of my son’s repeated warnings) that I had a weak PW.

I need a stiff brandy to calm the jangling nerves. And I assure you, if I see a Nigerian in trouble, I will not be a Gandhi.

Tail note - Anybody knows what back orifice pinging is? Well, the term is a bit old actually, for these days these hackers sniff and ping ports. They are tired of rear orifices it seems. But more on all that some other day for it is quite technical and it requires time to downscale the terms and make a good article.

One friend even stated this - Anyways, your ramblings blog looks like it’s had a new look. Is it his (hackers) work? TBH it looks nice now :) – Well the answer is no, it was all my doing, thank you, they do not do nice things and as I say this, I have a wry smile …

Read feanors blog on how he set up a chase


Indrani said...

Glad it is all over. Very strange it had to happen. Thanks a lot for the useful tips, I am saving this.

Vivek said...

Although worried at first, later I was very sure that this was some con job. I was waiting for your post on this.

E Pradeep said...

Clearly sounds harrowing, Maddy - I have just reset and checked a few of my accounts after reading this mail. I guess I will have to conduct a review of all my email addresses on a regular basis to ensure this.

Happy Kitten said...

That was a hectic time for u!
Thanks for all the info given.... guess it is good to reset passwords.. but do they really guess passwords or is there some other way they hack into an account?

harimohan said...

thanks maddy
quite complex
i would have been a dud in a similar situation
mebbe will get in touch with you then

Unknown said...

Good heavens! Real scary thing! Glad it's over and done with.


What an experience. But at least you are all ok.

Thanks for all the tips you have provided.

I am posting something on this with a link to yours.

Sarah Stephen said...

That was indeed some ordeal! Am happy that all has been sorted now.

I have been at the receiving end of some Nigerian e-mails (tax refunds and the like), which after some googling revealed themselves to be scams. There were also a few odd instances in which gmail didn't accept my password. Am hoping that it wasn't such an attack!

Jina said...

I am so glad its over. We also had a credit card hacker who enjoyed his/her vacation with our money in netherlands and rome.Sigh! Thnkfully, we can dispute it.
Well, atleast one good thing came out of it-- U have a lot of good friends..:) and now u know, they will stand by you thick and thin.U shud be a happy and wealthy man at it.:)

Praveen Krishnan said...

Pretty scary!!! Glad it's over. It is all the more scary since everyone has so much of a dependency on Google

Nikhil Narayanan said...

One of my friends Sriram (Rajaram) called me up and told me that Maddy is in trouble and that Sriram has asked one of his London friends to transfer money to you. Sriram had already gotten hold of the a/c details. He was terrified while he explained your plight to me. [Aside- It is only then I realized that Sriram is a follower of this blog. Small world]

I knew it was a scam. I had seen this/similar text twice earlier in my inbox. I told this to Sriram and asked him to call his London friend again and stop the money transfer.

What next? I called up your M-I-L in Calicut who was slightly confused if I were a scamster or someone genuine. I had not met her during my visit to your home in CLT. I told her about the scam email and with slight hesitation she bought my story. I told about the Halwa I had etc. I asked her to call you up and tell you about the hack. Called her back again and she said that you were not reachable.

I took your number from her and called up S aunty and realized you had been alerted already.

How do I make sure that no one is fooled into transferring money to the Nigerian, I wondered. I searched all our mail exchanges and realized that you always bcc and never cc. Every mass mail that you sent has S-aunty in the to. Only her.

Wait. There was a fwd that you sent with about a dozen people in cc. Alerted them all. That's the little bit I could do.

PS: I know this should have been sent to you as an email. :)
PPS: I was not much worried about you getting back your Gmail a/c since this is now more like a known issue. Touchwood.
My worry was about the Nigerian who would mint $ in the midst of this chaos. I did not want him to be richer.

The Talkative Man said...

Hats off to you for weathering all this...It is such a pain in the rear to patiently fight one step at a time and recover your access...90% of us would have given up.

P.N. Subramanian said...

What an ordeal!. Thanks for the the wonderful presentation of events. We have learnt quite a lot from your experience and tips you have provided. Thanks.

Maddy said...

thanks indrani, vivek, pradeep,
better safe than sorry - so strengthen your passwords

Maddy said...

thanks hk - there are hacking programs which can break the pw. if they identify a victim they can go with it till they break it. the only thing you can do is make it difficult.

Maddy said...

thanks hari, raji and narendra..
the problem is these guys are so far behind the scene and outside the grip of law..

Maddy said...

thanks sarah, jina and praveen
of course i fell so happy that i have great pals. sometimes you get so wrapped in day to day life that you need an incident to bring everybody together..in that way it was a reminder

Maddy said...

thanks nikhil - as i said the arf is not an easy thing to fill even when fully relaxed. so imagine trying to fill one with info in the deep recesses of your brain...at a time of stress when 2000 thoughts flit through back & forth

Maddy said...

thanks talkative man & PNS..well, i hope you also had a chance to read how feanor went after the guys..

kallu said...

Maddy, now you know how many concerned friends you have. I'm impressed. And you must be grateful too?

MY VERSION said...

I got that mail too. but my first reaction was a smile for the text was jittery and language not your style. then i thought that the situation had so forced you to lose your cool. you appeared more nervous than you were at the "Amir Mahal". my second reading of the mail made me decide that it was some con, for i remembered that your boy had studied in UK, sure you will be having more immediate contacts there, rather than send out such SOS, so i forgot all about it. now when i read your blog my first reaction was to change the passwords with a more stronger one. anyway, all's well that ends well

Maddy said...

thanks Rohini - it was a difficult experience, but interesting too - tracking the hacker though the fear that somebody else might fall for it and send money was unnerving.