Hacker sacked

A couple of people have commented on my Facebook note regarding the hacker saga (it was imported from a post to my old blog – one of the ways I tried to get the word out regarding the hacker). Scams of this nature traditionally involve someone claiming to be in dire trouble – and asking for money to be transferred via Western Union. In this case the hacker also changed the access email address for my account to something quite bizarre and obviously not linked to me. This same process was carried out with another friend’s account a couple of weeks back – and the best way to get access to your account back, and the way I got my account back, is to notify Facebook immediately. The link is pretty hard to find – but it’s here in case you’ve come to this post via google looking for some sort of solution to your own Facebook hacking saga.  

In my case the hacker was logged on at around 2am Australian time, claiming to be from England. It would appear that he had also hacked into the email account he was using to access my Facebook – but that’s pure speculation on my part. To my knowledge he spoke to two of my friends – who both took similar courses of action to verify that it was not me – one rang my mobile, the other tried to get in touch with my parents. Hackers are not smart. The basic premise of the hacker’s story was that I was in London and had been robbed at a hotel. I needed money. My friend Mark had seen me at a wedding three days before this conversation took place:

“1:34am Mark
when did you fly to London?
1:35am Nathan
4 days ago
1:41am Mark
did Robyn fly with you?
1:41am Nathan
yes
we are robbed together
1:41am Mark
you flew out on the 19th?
1:42am Nathan
cant remember the date
why are you asking?
1:42am Mark
why can’t you remember?
1:44am Mark
what day was it?
1:45am Mark
Nathan this isn’t like you what’s going on? when did you fly out of Townsville?
1:48am Mark
Hello Nathan? What’s happening? this isn’t like you what day did you fly out>
?
1:50am Nathan
i told you something
you didnt believe me
1:51am Nathan
what else do you want me to say???
1:52am Mark
you said you flew out 4 days ago, i can’t believe that becuase i saw you 3 days ago
i want to know what’s going on.
?
1:53am Nathan
it was 4 days ago
1:54am Mark
Friday, the 19th was 4 days ago, and I saw you at the Wedding on Saturday the 20th.”

Lesson one for would be Western Union scammers – make sure you don’t contradict someone when they tell you where they last saw you. Lesson one for potential victims – stick to your guns. The scammer then suggested Mark transfer money using his credit card and westernunion.com – when he was told Mark didn’t have a credit card he suggested he head to his nearest Western Union agent. No doubt unaware the Darling Downs (where Mark was staying) doesn’t think highly of 24 hour trading…

“2:12amMark

one problem mate. i don’t have a credit card
2:12amNathan
ok
then go and do it any agent close to you
2:15amNathan
have you gone?
2:15amMark
no i’m here
2:16amNathan
why?
how much can you loan me?
2:17amMark
how much do you need?
2:17amNathan
$800
how much can you afford?
2:18amMark
you need $800 cash?
2:19amNathan
aussie dollars is very loan in UK
2:20amNathan
low in UK
2:21amMark
right i understand
2:21amNathan
when are you going?”

Mark by this time had called me – and decided it was time to give the hacker a moral lesson. He didn’t like that much.

2:28amMark
why, well i’m interested, when did you got a new email address?
2:29amNathan
is that your business?
why would you need that to help me out in a situation like this
2:29amMark
and how’s the weather in Nigeria?
2:30amNathan
which Nigeria?
2:30amMark
and finally how can you ask for money from well meaning people?
2:30amNathan
you are nut
2:31amMark
i am nut
?
2:39amMark
does not appear so
2:39amNathan
sure
2:40amNathan
have a nice day
bye
bye
not to meet again

At this point I logged in to Robyn’s Facebook account to try to initiate dialogue with the hacker – he ended our Facebook friendship. But not our Facebook marriage. He also went very close to convincing friends of mine who were in England at the time to help – they offered to drive north to London to rescue me – which is nice. But all the hacker wanted was my money. 

I was left with no access to my account, some confused friends, and an email address for the hacker. I decided to take matters into my own hands. The hacker’s email address was an address at verizonmail.com – which is a domain sold by mail.com. I sent them an email complaining about the misuse of that account. 

Then I got in touch with the hacker. 

Magor,

If that is your real name… I am willing to pay to get my account back under my control. Please forward your Western Union account details. I would be willing to pay $US250 to have my account returned.

I’m not advocating this sort of behaviour in normal circumstances – but this hacker already had my email address, and various other pieces of information from my account, so it was not a hard decision to make.

Lesson one for people with lax online security – you know how they say make your password hard to guess and don’t use the same password at multiple sites – this probably saved me losing access to my gmail – which thanks to its wonderful archiving system would have allowed the hacker access to my passwords for multiple accounts on multiple different sites.

I received a response to my generous offer…

“RICHARD Vincent is the name
Location is London,Uk”

I intended to use as much information I could get to try to get into this guy’s email address – his secret question was “pet name” – I would suggest never using an obvious answer to your secret questions (ie don’t use something people can find out by googling you). Anyway, I also tried a couple of sites that let you reverse search an email address – one of them suggested an IP address somewhere in the US – but I figure that was for the Mail.com servers.

I wanted as much information about the hacker as possible so I went fishing (or phishing… almost)…

“Australia has increased regulations for Western Union money transfers – to combat fraudulent transactions. I also need to verify your date of birth and occupation.

His reply:

“august 6th 1976……
what should i make the password of the box??”

I wanted to stall him while I waited for Facebook to restore my account – or to get access to his email… which is probably not the most ethical way to go about it.

“Is this offer acceptable to you?

I don’t know how I can trust that you will in fact relinquish control of the account – how would you suggest proving that you can be trusted?”

That’s right hacker. Make me trust you. Someone who’s proven untrustworthy already.

So he responded with a little bit of pathos. A happy birthday to me. And a revelation that for him at least – it’s all about the money.

“so today is your birthday?
i can swear with my life that you will get the account back immediately you send me the money.Thats all i need.
am sorry for doing this,but i need the money.

The choice is yours”

I decided to see just how dumb he was. If he reset the email address on my account I could have a password reset form emailed to myself… but this email bounced.

“I’m not sure the word of a hacker is worth much to me.

I think perhaps if you change the email address on my account back, send me an email notifying me of the change. When I see the email on the account has changed I will make payment and we can agree on a password for you to change it to.”

Poor Richard Vincent in London probably has no idea why his email address has been closed down. Or maybe it was just an account set up to swindle unwitting facebook friends out of their hard earned cash.

As I mentioned in an earlier post on this situation – there are lessons to be learned from this experience. Don’t make your password something stupidly obvious. Don’t make your secret questions easy to figure out. Don’t store passwords for every account you have in one email address. Don’t use the same password for more than one site. Change passwords regularly. And don’t expect $800 from your Facebook friends.

Comments

Andrew says:

Quite possibly your best title yet ;)

martin says:

Thanks for that mate. I appreciate the detail.

Grace says:

Hey man, someone is trying to do the same (sort of) with me, im trying to find a flat in Brizy, they say they own a flat in Mary st and they are in the UK looking after their sick mum, need $300 bond, via western union, then they will give me the keys!? they have even done up a lease aggreement through a ‘lawyer’, and sent me a copy of their passport. SO dodgy!! Hope you have it all sorted. Grace.

S says:

Hey there-

I found your blog on Google trying to find a solution to my own hacking issue, which seems identical to yours. I was wondering a couple things. First, how long did it take Facebook to get back to you regarding the breach and how did they go about helping you restore your account? I’ve had Facebook since 2004 and I don’t remember if I ever set a secret question. Second, did you ever figure out how these scammers are getting our passwords? I’m pretty computer savvy and don’t think I would ever fall for any of the common phishing scams that are out there so this has me pretty stumped. If you wouldn’t mind commenting back or emailing me, that’s be really great because I haven’t heard anything from Facebook and my friends are continuing to have conversations (albeit sometimes entertaining) with the pest.

Nathan says:

Hi there S, Facebook took about 10 days to rectify my situation – there are a couple of other posts about it here – if you go to the Facebook homepage there’s a link to contact them and if you search for “account compromised” there’s a contact form – that’s the one I used.

It should just be a matter of the Facebook security staff verifying the original email from your account. That sorted it for me.

In my case the problem was an incredibly weak password – I’m told by a few IT security minded people that it’s just a matter of battering your password field with a heap of computer generated passwords until it cracks. Facebook, unlike many banking services and email accounts, doesn’t have a maximum number of password attempts before locking the account – and they don’t have a secret question thing, they just send a password reset link to your account.

Based on my experience you’ll either need to figure out a way into the hacker’s email address or wait for Facebook to sort it out – there’s no great way to notify people that you’ve been hacked. I was lucky that my blog is imported to my profile via RSS so I posted to it straight away to let people know.