Avast ye, matie! Prepare to be boarded!
Posted by joeabbott on April 21, 2012
I was hacked and it sucked.
Way back in 1997 I opened a Hotmail account. This was going to be my “junk” account for all the stuff that might draw in spam or for non-serious communication. But, over the years of having private email through my own domain, using the comcast or other corporate branded accounts, (and never really considering using my work email), the Hotmail account just seemed to be there every time some other system went down, changed hands, or in some other way inconvenienced me.
So, even though the Hotmail brand isn’t cool, it works for me and I’ll stick with it. But let’s get back to being hacked.
I’m reasonably savvy around computers and always wondered what other people were doing wrong when their accounts were compromised. Clearly it was something. I’m still not positive about exactly who got into my account, but I’m reasonable sure I know how. With this post I hope to alert folks to dangers, and help those who are hacked get back on their feet.
As I’m not positive how I was hacked, I won’t name names, but the coincidence of all being well and stable for ages, me taking advantage of a “free” offer, and the next day my account being hacked seem too conclusive.
As I said, I saw an offer from a company for a free game. While the free thing offered doesn’t matter, the fact that it was an “act now, too good to be true” sort of issue does. I acted impulsively because I was excited about the freebie.
In order to qualify for the freebie, I needed to register at the site. It required a few details of information but two pieces were key: creating an account that required a password and giving them my email address so they could send me a verification code.
Stupidly, I used the same password for the newly registered account as I use for my email account. I have a list of accounts and passwords I use, so this wasn’t typical, but the “get it now” impulse nature caused me to make an error.
I’ve heard 70% of all people use the same password for all accounts, so if you’re going to scam people, it seems like counting on common passwords is a fair bet. It was in this case. Anyhow, my security was now compromised.
The next day I noticed that I had received mail from myself (yes, I’m in my own address book) and when I looked at the email, it was clearly spam. Sent out by me!
Simply perusing my account I saw mail bounce-backs (from inactive accounts) and reviewing my “sent mail” I saw everyone in my address book had been sent a link to some marketing scam. In my case, fortune was with me on a few accounts:
- I don’t keep all of my contacts in the Hotmail address book … just a few frequent contacts or folks who I’d inadvertently added
- The message that was sent out was obviously spam (more on this below)
- The link appeared to be non-destructive and purely marketing related
- The users didn’t appear to steal the contents of the address book for mailing additional content to later
Still, it was a massive bummer to be used like that.
Upon seeing I was hacked, I changed my password instantly. Close that door. I then mailed a few of the folks who had received spam to say “please ignore, I was hacked, this is spam”. I probably should have mailed everyone but I didn’t … only those who I’m most actively in contact with. I thought the message would obviously be spam and ignored. Again, more on how to spot spam below.
A biggest problem occurred the following day when the Hotmail staff blocked my account. This is a great step to protect people on the web but it really inconvenienced me. The price for being stupid, I guess.
I reviewed the Hotmail “help” forums and have to say I’m very disappointed in that they have no way to contact a person: you can leave mail on a forum but there’s no dial-in help lines and no online chat. Unfortunately, you can’t leave a message on the forum unless you’re signed in! And, guess what? As my account was blocked, there’d be no signing in for this victim! I’m still not sure how they can rationalize that decision from a position of helping the customer but, there you have it.
Anyhow, when trying to access my blocked account , the Hotmail team posted a page saying “we blocked you, here are things you should try”. Unfortunately, none of those steps worked. On the forums, many other people were having the same problem I was (being blocked and just not being able to get in) and it seemed help from the forum administrators usually took the form of being pointed to the instructions you’d see upon trying to access the blocked account (not helpful) or being told to post your specific account information (which you can’t do unless you’re logged in … which I couldn’t do).
It was exceptionally frustrating.
However, through using many resources and asking specific people for help, I was finally sent a link that worked. It not only worked, it worked quickly and without any troubles. I’m stupefied that the link isn’t the first and only resource suggested for getting back your account! If you’d like to know more, read Unblocking “Account Blocked” … once I got back into my Live account, I posted my steps in hopes of helping someone else.
Switch up your passwords.
Even if you have a simple scheme of appending your spouse’s name to the name of the account (e.g., SuzyHotmail, SuzyFlickr, SuzyWordPress, etc.) you’ll have a far more complex and challenging scheme to break. I once read an article that stated concatenating any two words from the dictionary and using that as your password was more secure than choosing something like a$HT6&ptX. The article had plenty of caveats or qualifications around password lengths and character choices, but the gist was: using a simple scheme that’s easy to remember doesn’t have to be less secure than a more complex, harder to remember scheme.
And to be clear: if you choose a pattern as I suggested (Suzy*), and you let someone know the pattern, they’ll own you. If you choose a simple pattern to help remember passwords, you need to keep that pattern secret!
Bonus content: Obviously Spam
Far more people contacted me after my account was used to spam them than I thought I’d be hearing from. Folks from back home, folks from work, and casual friends … all asking, “did you intend to mail this?”
On the plus side, most didn’t actually click the link but they did ask if I had really sent it and what it might be. I’m delighted that they’d ask but still surprised as it was obviously from a hacked account. Let’s go through the telltale clues in the mail that came from my account:
To: <account1>@yahoo.com; <account2>@msn.com; <account3>@hotmail.com; <account4>@yahoo.com; <account5>@microsoft.com; firstname.lastname@example.org; <account6>@bigvalley.net; <account7>@microsoft.com; email@example.com
Date: Mon, 9 Apr 2012 05:38:29 -0700
Note: I blanked out most of the emails but left the domains intentionally. The couple of addresses I left intact were bounce-back accounts no longer in use.
The “From” line looks fine and yields no clues.
The “To” line is a big red flag.
Whenever you see a disparate, hodgepodge selection of people that looks like it was chosen at random, there’s a strong chance it was just that: chosen at random. The line had contained family members, work colleagues, and old friends. If you receive mail that was sent to a shotgun-selection of folks and you don’t recognize your peers, someone’s either putting together a surprise party, you’re being forwarded a joke or political ad, or you’ve just received spam.
Unless you’ve annoyed someone and they’re specifically gunning for you, most accounts are hacked programmatically for access to your system/personal information, or for your address book so they can get a high quality selection of valid email addresses. It’s accessed by scripts that will quickly pull your data from the address book (likely to sell to other list buyers), converted into mail, and then sent out. That mail can contain Trojans, worms, or viruses, or just introduce the recipient to whatever marketing scam they’re trying to get people to buy into.
The “Subject” line was blank which is odd but not overwhelmingly a sign of someone being hacked. Just another “something doesn’t look right here” sort of hint.
The trouble automated systems have with inserting a subject line is actually finding one that looks right. Usually it’ll be something so vague and innocuous, that it would be relevant to a broad list of not-necessarily-related folks. Lines like “Look at this” or “I thought you’d be interested in this” are common.
I realize that’s not terribly helpful … as I review the list of mail I’d sent from this account in the past, it contains items with the subject lines like “Thanks” and “Skyrim help” and “Can you see this”. I guess I make it easier for the spam writers!
The “Date” line looks fine and yields no clues.
The “Body” section, like the “To” line, is a dead giveaway.
What could you possibly say to a disparate group of people who may not have anything in common? Nothing, really. And that’s what this mail says: nothing. It’s just a link. And worse than that, it’s a link that shows a sufficiently complex format different from most links a friend might send you. If it looks scary, chances are that it is.
Some more sophisticated scammers will sent HTML mail, that allows them to embed a link inside other words. They could have their scam address hidden in a message, like “Click this”, or they could even disguise it to look like something else … like this: http://youtube.com/?CatVideo. That link looks like it should take you to some cat videos but, if you click it, it’ll take you to the “People magazine of the Internet”: Wonderwall.
And that’s it. I was hacked, it sucked, but I’m hoping some of the above was helpful either to encourage you to avoid the scam I fell for, helps you get going again if you are hacked, or helps you spot potentially dangerous mail sent from a hacked account.
Thanks for reading and be safe out there.