Frightening But Fake Emails Sent by Hijacked Accounts
As the summer travel season heats up, another round of phishing emails hit Gmail users last month that pass themselves off as cries of help from friends, families and co-workers claiming to be stranded in London.
First seen in May 2008, the latest incident left no trace that the accounts had been hijacked, marking a higher level of sophistication in this type of distress scam. User passwords were changed in past attacks, giving account holders a clear sign something was amiss when they were unable to log in to their accounts, but passwords have not been changed in the latest London scam, indicating hijackers used more sophisticated methods.
Hijacked email accounts, in which the scammer obtains access to an email account and sends messages under the account holder's name to his contacts, can pose a threat to friends and family, leaving the victim unaware until he receives a call from a concerned contact. And it's not only email that is at risk. A lost phone can provide the channel for text scams, and direct messaging on social networking accounts can prove equally dangerous.
The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C) reported that the total loss linked to Internet fraud tripled over the past five years from $183 million to over $597 million.
"It's really easy to hijack accounts," said Jamz Yaneza, threat research manager at Trend Micro.
"People leave their email addresses all over the Internet like on a forum to get help with a broken toaster," Yaneza told TechNewsDaily. "The bad guys harvest email address and then try to match a password with the account. It's called a brute force attack."
Weak passwords are what make these attacks successful. Scammers may try to manually construct a password or use a program like the dictionary attack method, which quickly matches every word in the dictionary to unlock harvested emails. To thwart this type of attack, Yaneza recommends using a password that is not a real word and includes upper and lower case letters, numbers and characters. [Read: How to Write the Perfect Password ]
But these days, strong passwords are not enough. "Most people use the same password over and over for their email, social networking accounts, and their bank accounts," Yaneza said. "Once compromised, you can imagine how the problem can scale."
What to do with suspicious messages
If you receive a message from someone you know that says they are in trouble, verify the email came from the real sender. A TechNewsDaily reader sent a copy of an email he received from an employee who claimed to have been robbed while visiting London. Because the employee was at work in Houston, he knew the email was a fake and wrote back to see what the scammer's next step would be. He received an urgent request from money with Western Union instructions for wiring the funds.
If this had coincidentally been from someone who was traveling or whose whereabouts were unknown to him, the reader could have been convinced to write back for details or send the requested money.
Yaneza recommends recipients of S.O.S. messages send a challenge question to verify the sender's identity. "Send a question that only you and that person knows the answer to like what was the color of the dog we saw last week?" advised Yaneza.
Even if you initially identify the email as a ploy, it is important to notify the person whose account has been hijacked, so they can take action.
How to detect a hijacking
The bigger challenge is to people whose email accounts have been hijacked. If you are suddenly unable to log into an account with your password, a hijacker may have changed the password. Notify the provider of the account immediately. You may have no other alternative but to shut down the account. If other accounts use the same email address and password, check those as well.
In the recent wave of attacks, passwords were left unchanged, making it impossible to detect the crime. You may see sent messages that were not sent by you or responses to messages you did not send, but Yaneza said some hijackers monitor the account to delete these messages before the account holder sees them.
If you discover your account has been hijacked, immediately change your password and password recovery options such as answers to secret questions.
"It's just something you need to do, like getting your car fixed," said Yaneza. "If you don't take care of it, you're dead in the water."