Jean-Jacques Halans ‹› Afterhours

This is the collation of last week’s interesting APWG mailthread on getting “Londoned”, when your GMail/Facebook/… account is compromised and all your contacts get a message like:

Hello!
I’m sorry I didn’t inform you about my traveling… am presently in London, United Kingdom on short vacation and as i write to you now.. its unbelievable am stuck here,got mugged at gun point on my way to the hotel and my money,credit cards,phone and other valuable things were taken off me at gun point, thanking Almighty God for save keeping my passport., i really need your urgent assistance quickly ? I JUST NEED SOME FEW HUNDREDS $$$ TO SORT OUT MY HOTEL BILLS AND i promise to refund it back to you once i get home cause i still have some cash in my account but i cant access any here right now ,already canceled all my cards immediately after the muggers took my things off me!!! still at the public internet library where am making use of the free internet access, i will forever be grateful if you can help me,Waiting to hear from you quickly cos my flight leaves in few hrs but need to sort the hotel bills and please save me from been embarrassed.

Thanks.
<your name>

Names and places change of course.

The advice given:

1. When your email account is compromised, assume all your accounts are compromised. Most often the way to get back a lost password is through your email account.
2. Try to reset as many passwords as you can PLUS reset the password reset questions. If possible give an unlikely answer (but one you can remember). If you get the option to set up your own question, use an unlikely question.
3. Get in touch with the abuse@ teams at any accounts where you know of compromise. Facebook is familiar with these scams and can undo a lot of the messages being send around.
4. Contact your close friends and family to notify them of what happened (mere acquaintances probably won’t send money), since you’d feel foolish if one was conned.
5. If the password was weak, assume it was guessed. Make sure your new password is a lot stronger (test it at this online Microsoft Password Checker).
6. But if the password was strong then it may have been stolen from somewhere else it was used; so you will need to address that. Try to use unique passwords for different services. Your Facebook password should not be the same as your email password for example.
7. If the password was strong and uniquely used, then you need to look for a keylogger somewhere it was used. Think of every machine you logged in from: at home, at work, some pc at an internet cafe? Then reset the passwords from a secure machine! Make sure your update your anti-virus, and run a virus scan (and preferably use a couple of anti-malware scanners too).
8. Time is of the essence. The scammers will try to get as many people to pay up in as short a timeframe as possible. Often they will sell your account information to specialised organisations. And they will try to move the conversation to another email account.

Google then posted an article on how they try to detect suspicious account activity and allow you to deal with it.

A follow-up message might look like:

OMG!!! l’m  so glad to hear back from you.  £950 GBP will cover all my expenses including my taxi fee to the airport, I promise to refund it to you as soon as I arrive home. You can wire it to my name  via a western union agent near you for security reasons cos the name  written below is whats on my passport and that can be a mode of identification to pick up the cash at a western union down the road here  (faster and more secured).

Here are the details you need to get it to me:

Name:<your name>
Address: 5 Irving Street, London WC2H 7AT
Country:United Kingdom.

I still have my passport so I can use it as identification get back to me with transfer details and the confirmation number # to pick up the money with my passport also scan receipt you will receive from the western union canter let me know if you are leaving to WU now.

The value is usually chosen to be below floor limits where strong identification (like a passport) is needed, and as it is sent via Western Union, the address is meaningless, as the money can be picked up at any outlet in the UK.

Hope it may help anyone who fell victim.

We already had online virusses and worms, now we got paraSites too.

The word ‘parasite’ comes from the Greek ‘parasitos’ (but then in Greek) which means ‘person who eats at the table of another’. In general we use parasite to refer to “an animal or plant that lives in or on a host; it obtains nourishment from the host without benefiting or killing the host”. I first heard of web paraSites on the APWG mailing list, used by Russ McRee from Microsoft (working at Live Messenger looking for malware and phishing sites) to refer to a sites which are:

“service” offerings designed to see who has blocked or deleted your IM alias from their messaging contacts. These sites always have significant disclaimer language, and often disclose that they will send SPIM (SPam over Instant Messenger) to your contacts if you enter your Live ID credentials.

One such example he gives is finecommunity.com which bluntly asks for your Microsoft Live ID and has a very dry Terms Of Use at the bottom of the page, which nobody ever reads, and which ends with:

To unsubscribe from our services you just need to change your Windows Live password.

This is all too familiar on the Twitterverse. Due to the lack of a decent authentication api for Twitter (until recently, they now support oAuth, but the damage has been done), a lot of Twitter related services have popped up asking for your Twitter username and password. But even besides Twitter, other social networking sites would ask for your Gmail or Hotmail credentials to “find your friends” and “invite them”. This isn’t phishing (for your credentials), they just ask them from you so they could “help” you. There have been plenty of instances where these services would add spammy content and links to for example your Twitter stream, or send out emails to your contacts, automatically (because that’s part of the service they offer). Those too are what you could call paraSites, living off of your account.

Even right before I started writing this post I encountered such instance: the HP Touch the Future Now contest, which tells you to twitter about the future (or rather answer some weekly questions on Twitter) in order to win and asks for your Twitter username and password. The T&C doesn’t say anything about spamming your Twitter account. It does say if you don’t provide the required details, you’re disqualified. And that it may pass your personal information to related bodies corporate and agencies assisting with the contest. But why would they need your Twitter username and password? Just tell people to tweet and reply to @hp_<whatever>. Would you trust HP with your Twitter username and password? Didn’t people get bitten before by one of those other “services” wanting your credentials? This might well be a lack of understanding of social media on the part of HP and their marketing team, and they actually mean no harm (as in they won’t spam your Twitter stream). Or at one point in time they might just suck the life out of your Twitter account!

Just the other week I experienced two occurrences where Twitter was used by business for product support, which I’d like to share, for those who still doubt the power of social media. These are web businesses (UserVoice and Google) but that shouldn’t make any difference. Any business should monitor the Internet for their brand and reputation. I wasn’t necessarily looking for answers from them, but they did answer.

Earlier last week Google introduces a new version of their Profiles. I had set mine up, and using it I had a concern:

It was a rather generalized question I put out there for the twitterverse. I wasn’t expecting a response at all. Less than two hours later I did get a response:

Google obviously cares about their reputation and seem keen to keep track of whatever’s being said about them. Unfortunatly they didn’t include a link to their report abuse system, which would have been nice if I had a problem (which I didn’t). They could have pointed to a particular blogpost addressing these concerns, or they could create one based on these concerns found around Twitter or the blogosphere in general.

Then last Thursday at a workshop I was demoing a couple of my little web apps where I noticed that one was crashing Firefox and the other had a weird Firefox rendering issue (in effect duplicating the content, though view source only showed the content once). I quickly dugg around and uncommented the UserVoice script loading in those page, which seem to resolve the issues. I posted my concerns on Twitter, to see if anyone else had the same problem.

Two minutes later someone (who I think/hope is involved in UserVoice which wasn’t obvious) replied:

Since I had the UserVoice code removed and was at a workshop (and it’s not really critical to me), I told him I had fixed it for now, and would look at it again later, to which he let me know that I could contact him if I needed any more help. I did not have to go to a UserVoice forum to get help (I wasn’t looking for help actually) , as it could well be an issue with one of the Firefox plugins I have installed. But UserVoice cares enough about their reputation that they try to keep all customers (even little old me, even free customers) happy.

Twitter has been useful for me before in resolving (or sharing) problems. For example, when all my sites hosted on (MediaTemple) were down a couple of weeks ago, I obviously tweeted about this, and got responses back from other people having the same problems. Some of them then pointed me to the MediaTemple Twitter account which was giving out status updates on the cluster problems they were having, to which I then subscribed and got into the loop of how and when things got resolved.

Twitter is an open micro messaging platform which allows people to use it in any way they see fit (within the 140 character constraints). It’s a diary, a bulletin board, a self-help system, a publishing platform,… enabling real time search for events, brands, people… and we haven’t seen the end of it yet.