Tuesday, June 14, 2011

Roving Reporter: Email scams, friendship and computer insecurities



Roving Reporter Carol Robidoux
Maybe this has happened to you: You sit down with a cup of coffee, open your e-mail and scan the in box for something worth reading when you see “HELP NEEDED” with no fewer than 10 exclamation points, sent from someone you actually know.
You gulp your coffee as you click open the email, further concerned to learn that your “friend” is writing with tears in her eyes, having been mugged in a hotel park during her brief vacation to the UK. Bad guys took all her money and credit cards and now, to catch her return flight which leaves in a few hours, she needs money to settle her hotel bill. No one at the embassy or foreign police department is being particularly helpful.
She will take any help – as in money – you can wire. She'll pay you back when she returns.
She signs her name. It feels like a genuine cyber SOS. So what do you do?
That all depends on how familiar you are with the increasing sophistication of e-mail scams infiltrating our personal email and social networking accounts. I know this because last Wednesday my personal email account was hijacked and several hundred people, ranging from relatives and friends to law enforcement officials and Derry town employees, received a virtual shake down from an invisible bad guy pretending to be me.
Screenshot of an Amazon scam.
In the week that followed, I learned a lot about the nature of people, the fragility of email security, the boundaries of friendship, and the network of cyber crime stoppers working to prevent the good-hearted yet somewhat gullible masses from falling prey to such scams.
Like the group of Derry town employees waiting for me on the third floor of the town hall, just hours after my email account went AWOL, most of them relieved to see I wasn't going to miss the appointment after all.
“We took up a collection for you,” said Town Administrator Gary Stenhouse, jingling the change in his pocket. Hey, it was better than nothing, I figured, given the normally hostile reception reporters get from municipal employees they scrutinize in print.
I also heard someone from the newspaper alerted the editors of my faux plight. I later found my bosses were unanimously put off that I failed to file stories in advance of my UK vacation for the next day's paper. Even Union Leader Publisher Joe McQuaid took the time to let me know that he'd gotten two internal emails and an anonymous phone call from people wanting to help me.
He said he was personally still weighing the pros and cons of donating to the “Save Robidoux” fund.
After recouping what remained of my virtual identity – and dignity – I lapsed into reporter mode and learned that this particular scam continues to swindle people across America of their cash – so far hundreds of thousands of dollars have been wired to a nameless, faceless bad guy an ocean away in the name of friendship. It's so prevalent the FBI has added “The Stranded Traveler Scam” to the Internet Crime Complaint Center's alert log.
Jeannette Toscano of IC3 explained they are sort of cyber hero justice league, a partnership between the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance, all committed to fielding complaints from scam victims and shutting down the cyber villians.
“Once you opened that email, there could have been a worm in the background that allowed the scammer to get access to your contacts, which is how they perpetuate the scam,” said Toscano.
Most likely to respond are the kind-hearted friend or particularly vulnerable grandmothers and marginally computer-savvy relatives. You know them as those who regularly forward notoriously annoying emails detailing political injustice or medical calamities or warm fuzzy animal photos that can be stopped, aided or enjoyed just by resending an email to every “strong woman,” “equally fed-up American,” or “someone in need of a smile” you know.
Still a little shaken from the feeling of vulnerability, I wanted answers. I called academic cybersleuth Gary Warner, a University of Alabama at Birmingham professor whose virtual street cred includes being a card carrying member of the FBI’s Digital PhishNet and Team Leader of the Phishing Incident Reporting and Termination Squad.
I asked The Terminator how this happened to me, one who regularly refers others to Snopes.com to debunk email spoofs and never falls for promises of money from Nigerian diplomats.
He seemed to want to blame the victim, who in most cases have inadvertently given up password information through ignorance. He was puzzled to learn I use Gmail, since just about all of the 1.5 million daily spam emails he mines with his spam-catching software originate with Yahoo or Hotmail accounts.
Then he asked me if I'd received an Evite lately – that's a popular online invitation site that has pretty much eradicated the need for paper party invitations and postage stamps.
I had. But told him I hadn't had time to respond. I'd been too busy fielding responses to my spam email and changing all my account passwords to think about developing a social life.
“Just last week Evite spam was responsible for a huge amount of malware – 11,000 copies came into my spam collector alone,” Warner said. He went on to inquire whether I'd opened anything from Target or Amazon lately – two more unexpected sources that, just last week, delivered unwanted malicious software to unsuspecting computer users everywhere.
He sent me a screen shot of the Amazon scam. It didn't look familiar to me, but it also didn't look suspicious.
“The Amazon scam says something like 'thank you for verifying your new email address. Please verify it belongs to you.' Then it directs you to click a little button in the center, and if you click to start the verification process, it steals your password,” Warner said.
He wanted me to remind readers that protecting your email password is probably the single most important safeguard to preserving the integrity of your virtual identity.
“People tend to not think about their email password being important, yet the most common password people choose for their email account is still 'password.' Think of what the bad guys could do with your email password. How do you reset your bank password? By requesting help, which comes to your email, including a link back to your bank site, where the bad guy, who now controls your email, can easily reset the password,” said Warner.
“If a criminal has your email account, he can access your bank accounts, your credit card accounts,, any site you shop from, like Amazon or Best Buy. All those accounts are set up with the same singular point of failure. If I have your email password, I can reset every password in your life,” Warner said.
Masking the paranoia I was now feeling over my computer insecurities, I asked Warner if paranoia is a plausible response to the real risk here. I was thinking about the ease with which so many of us use our email and Internet accounts for work correspondences, document sharing, online banking and Christmas shopping.
“People ask me that all the time. As much as I know about online crime, do I still use online baking? Of course I do. Honestly, we are still far more likely to have an account stolen by the waiter who takes our credit card into another room at the end of a meal than by some unseen, online predator,” Warner said.
Needless to say, I've learned some valuable lessons in all of this. For one, that all my hard work building journalistic bridges in the town of Derry are enough to see me safely home, should I ever find myself stranded abroad and in need of airfare. Also, that email scams happen, and everyone can be a victim.
And most of all, I've learned that the next time someone delivers a meal tab to my table, I will be the one paying with cash
.

No comments: