Hacked AOL Address Books and forwarded chain emails – the latest threat to your security

We’ve received several calls from clients recently, who suspected that their Macs had been hacked from the outside. While they were incorrect about the method, it appears that a new twist on an old scam has surfaced, and that it is surprisingly, alarmingly, successful. We have reason to believe that email addresses in AOL address books and chain-emails are being compromised by criminals overseas. The criminals send “emergency” alerts out to friends and family of unsuspecting victims, and, posing as the victim, claim to be in trouble and in need of cash to get home. These messages are more refined than the “Prince in Nigeria needs help getting inheritance out of Africa” messages we have all received at one time or another.

A sample of a successful scam follows:

Subject: Emergency!!!

I’m writing this with tears in my eyes, I’m sorry for this odd request because it might get to you too urgent, but due to the situation of things right now, I’m stuck in London United Kingdom right now, i came down here on a short vacation and i was robbed, my bags, cash, cards and my cell phone were stolen off me at GUN POINT, so i only have access to my emails, it was such a crazy and brutal experience for me and i was hurt on my right hand, but I’m glad i still have my life. I need help flying back home, the authorities are not being 100% supportive, i have been to the embassy and the Police here in London, but they’re not helping issues at all, but the good thing is that i still have my passport but don’t have enough money to get my flight ticket back home and some bills settled, please i need you to loan me some money, i promise to refund it as soon as I’m back home. You can get it to me through western union, email me back so that i can give you details to send it to.

[End of message sample].

This was sent to a client’s address book listing while the client happened to be traveling this summer. She could not be immediately reached, so naturally her friends and family were very concerned.

Now, most of us might say “who is going to fall for that?” Sadly, if a loved one seems to have sent you this sort of message, and you then can’t reach them on the phone, you might be alarmed. There are several variations of this type of fraudulent message floating around. The bad guys have become more sophisticated.

Another of our clients had a similar experience, and we have heard of friends of friends also falling victim to this scam.

We believe that our client’s AOL’s address book was accessed or hacked online, and not locally on her computer. When contacted, AOL was surprisingly unsympathetic to the victim’s problem. Those addresses and additional notes in the address book were used to glean private information, which was then implemented in making the “emergency” emails sound authentic. They used family names, pet names, and whatever else they could pick out of the address book information to swindle friends and family into wiring cash overseas immediately.

Another trend we’ve seen is Viagra ads going out to everyone listed on someone’s AOL and Yahoo address books. The ad appears to come directly from your friend’s mailbox. While that sort of spam is often the result of a virus, it’s increasingly sent from online address books. Your computer’s anti-virus program can’t prevent that. Your computer is no longer necessary to commit the scam. All the criminal needs is your name, your email address, and a list of your friends.

Should you fall victim to this sort of scam, either as sender or recipient, here are a few steps you can take to protect yourself:

1) If you receive an emergency email, try to reach the person claiming to be in trouble FIRST, and confirm the mail – by phone. DO NOT REPLY TO THE MESSAGE BY HITTING “REPLY”.

2) Take a close look at the sender’s email. In most cases, the criminal has imitated the sender’s email address, but used a different free service like gmail, aol, yahoo or hotmail. If the address is different than what your friend or loved one usually uses to write to you, BEWARE. It’s probably an imposter. The big tip-off is if the emergency email asks you to reply ONLY via email for more information.

2b) Alert your internet service provider, and your email service provider (you may be using Verizon for one, and Godaddy, for example, for the other).

3) Should YOU fall victim to someone sending out emergency emails in your name, alert everyone in your address book immediately that your address has been hijacked. One of our clients was brilliant and did this immediately, and stopped the scam in its tracks. Email address hijacking is incredibly easy to do. It’s also known as “spoofing.” (We won’t describe how it’s done here, as we don’t know where this alert will eventually end up.)

4) If you do any financial business online (banking, investment, bill payment, etc), alert your banks, credit card companies and so on immediately, and change your passwords. (You should never send passwords via email at any time. As we see here, email is not secure).

5) If your address book has been compromised, change your email address. It can be painful yes, but is no worse than changing your phone number. Your friends, family, colleagues and clients will get over it.

6) Change your passwords. Changing your email address and then using the SAME old password is pointless.

7) Make sure your password is a secure one. Use a combination of letters and numbers, not your kid’s name, pet’s name or your listed phone number. Do not just add a “1” to the end of your name. That’s the first thing someone will try when trying to crack it. Very obvious. Do not use “ABC123” or “password”. Foreign words are good, especially if you combine them with a number or two.

8) Write down your password in a safe place (not in a document on your computer entitled “Passwords”)

9) If you have a wireless network, make sure it requires a password to get online. You don’t want someone parking their car outside your house and using your internet to order goods on a stolen credit card. They’ll track the packages, wait for delivery outside of your home, and then leave with the packages. When the fraudulent charges are traced, the authorities will come to YOUR address. Always protect your network.

10) You may want to share this email with your friends, family, and colleagues, so that they are aware in advance of this sort of scam. Agree to only respond to such “emergency” emails if they can be verified. Let them know you would never ask for cash to be wired overseas in an email.

Next, hacking into personal computers, especially Macs, is not as easy as Hollywood will have you believe. It’s more fruitful for these criminals to hack into large banks, email service providers, and vendors. News reports have surfaced of hackers hijacking entire client lists at major retailers, and holding those lists of credit card numbers hostage. The banks or merchants reportedly pay ransoms to get those lists back, and keep the security breach quiet. Other fertile grounds for the con artists are the enormous amounts of forwarded emails many of us are forced to sift through.

Ever notice how many email addresses are listed on those jokes that Uncle Fred keeps forwarding to you? Do everyone a favor and don’t forward them! If a con man finds such an email, all he has to do is send a reply to that “list”. Many of those listed will know one another. Thanks to that forwarded joke, most of them are now potential targets for con artists.

The thing to do when forwarding an email, is to click on “Forward”, go into the body of the email, and erase everything EXCEPT the point of the mail – the joke, the statement, the link, or the picture. Protect everyone else and delete all of those addresses. No one wants to scroll through addresses and comments for half an hour just to get to the point of the mail. Delete them! Send only the point of the mail.

And finally, even though you have a mostly impervious Macintosh, don’t assume you are not at risk. If you don’t use a password for logging in to your Mac, you are at risk. If you do not have a password requirement for your wireless network, you are at risk. If your password for your email account on AOL or any of the other free, online service is a simple word found in ANY language dictionary, you are at risk. Hackers have programs that will throw every word found in a dictionary at a password login. Eventually, one of them will stick, and anything in your past emails, sent emails, or address book, becomes available to the professional criminal. From there it’s a small jump to stealing your identity.

These “emergency” emails sent out in someone’s name were not necessarily the result of a virus or a direct hack of the victim’s computer. Anti-virus software would not have protected them in this case. Either the ONLINE address book was hacked, or, a long, forwarded email was re-engineered.

We leave you with a parting thought. Install Anti-virus software, and backup your data on an external drive. Backup your data. Backup your data. Backup your data. Do it today. If you are backing up, check it. Make sure it’s working. Make sure someone hasn’t turned the external drive off by mistake, or that the computer is still trying to complete the backup you started five months ago (it happens). If you can ‘t get Time Machine to work, or if your system doesn’t include Time Machine (pre-Leopard), download a free copy of Super Duper from Versiontracker.com or shirtpocket.com. Then clone your drive onto another, blank external drive. Worst case, simply drag your data onto the external drive image and wait for it to finish copying. See our other posts for tips on backup routines and options.

We hope this alert will help prevent you, and your loved ones, from falling victim to these scams. Now please, go backup your data and check it.