New spammer vector snags a friend

May 28 2008

I received two pretty weird e-mails from a friend of mine in the last twelve hours.  The first had the subject line "hello" and the latter was "the rest".  Both e-mails indicated that my friend was trapped in Nigeria (of course) and needed me to wire money urgently so that she could get out of the country.

Only one problem.  My friend is not in Nigeria, and the e-mails are clearly the work of spammers.

But.

They aren't spoofed!  

Spammers hacked into her Yahoo mail account -- which she indicates had a non-guessable password comprised of letters and numbers.  Once they did, they changed her password as well as hacking and changing her security key (which is a wow to me, since Yahoo doesn't even give you a hint as to what it is when you go to try to change it).

Now they have access to her account, and are sending e-mails to all of the contacts in her address book.  The e-mails aren't spam filtered, because they are truly coming from her @yahoo.com mailbox.  They are even signed with her name.

She has contacted Yahoo twice, and they have been most unhelpful.  Because her security key was changed, Yahoo can't confirm her ownership of the account anymore.  They claim when she has called that her mother's maiden name doesn't match the account, and that that was the identification she agreed to when she signed Yahoo's terms of service.  I asked her why Yahoo wasn't willing to try to go back to a prior state -- certainly they must have a transaction log and can sort out when it was changed, what IP address, etc.  She isn't the first person whose account has been hacked.

My friend indicates that she has googled around to try to find how others who have had this happen -- and it has definitely happened to others -- addressed it.  Unfortunately, most have decided not to fight Yahoo, and just written off their mailboxes.  That seems too fatalistic to me, and certainly won't get my friend access to years worth of e-mail and contact information.

Anyone seen this and danced with the Yahoos to make it right?

Ed Brill Highland Park, IL USA Category:  Messaging  Add/View Comments [24]

Post a Comment

  1. 1  Paul Gagnon  | 5/28/2008 9:39:09 AM

    I wonder if this situation would have been any better or worse with Microsoft at the helm? After all they did want to buy Yahoo for whatever reason...

  1. 2  Bill Geimer  | 5/28/2008 9:50:12 AM

    Yahoo has a practice of allowing a browser with a cookie for your account to open the mail account without a password prompt for up to 10 days if you just close the browser rather than log out. I suppose its a helpful feature in a commodity free mail client, and certainly no worse than Outlook not requiring a password for a local PST file, but its long been the mode for providing open access to yahoo mail from public browsers found in libraries, cafes and hotel lobbies. It does not, of course, give our your password, but it does open up the account for reading, writing and malicious activity.

  1. 3  Roberto Boccadoro  | 5/28/2008 10:01:45 AM

    Yahoos are too busy trying to get bought by Bill in those days :-)

    Maybe after reading this post I have better switch my wife's mail from Yahoo to Google.

    RoB

  1. 4  Turtle http://www.weightlessdog.com/shell.nsf | 5/28/2008 10:05:49 AM

    I just don't rely on free webmail. Not ever.

  1. 5  Keith Brooks http://lotustech.blogspot.com | 5/28/2008 10:22:33 AM

    The better question is has your friend gutted her pc,laptop,phone or anything else so they also don't mess with her credit cards.

  1. 6  NeilT  | 5/28/2008 10:23:07 AM

    It's interesting.

    I've had a Yahoo account since 7 months after they rebranded it. I have a major issue with it which is that they reqiure me to remember my date of birth. Which, back in 97, I gave as a false one becuase I didn't trust them to keep my data secure.

    So whenever I have a problem they ask for my security key. If I've forgotten that I have to produce my date of birth. If I can't do that, then I'm no the account owner.

    OK, now I have a subscription account with 24x7 helpline. I can call them and verify who I am. They will change my security key for me, but they can't change the date of birth (you can't change the day you were born right?)

    Either I've just been lucky or my security is good as I have never had an issue with the account, other than forgetting my security key.

    Somehow Yahoo needs to be able to reset the account of verified people. But it does beg a question. How DO they know it's you? The only low cost thing I can think of is sending a personal self cert key to another mail account so that you can use that key to veryify who you are.

    But that's a whole new ballgame isn't it. It would have to be a one time thing and what about all those existing mailboxes?

  1. 7  Mike Lazar  | 5/28/2008 10:23:25 AM

    Ed -- For a free service, I don't think they will be keeping "previous states" for very long, and they certainly won't be helpful in restoring your service. The bigger concern I would have is that they now have her personal info, such as mother's maiden, favorite hobby, etc. That could mean they have things like her SSN, other accounts, whatever. I'd write off the mail account, but I'd be signing up for those credit check services ASAP and monitor that weekly.

  1. 8  Ed Brill http://www.edbrill.com | 5/28/2008 10:25:05 AM

    @7 I don't think "free" is an excuse, since they certainly have monetized the account through advertising. And it is possible (though I don't know) that this friend has a premium account. I will check.

    Either way, though, you are right -- I am concerned about overall identity theft.

  1. 9  Simon Scullion http://simonscullion.com | 5/28/2008 10:42:53 AM

    Ouch, nasty stuff.

    Identity theft is no laughing matter, and yet people are recommending online services for corporate email....?

    I'm off to change passwords.....

  1. 10  rajiv thomas http://notesboy@notesboy.com | 5/28/2008 10:58:25 AM

    I had a simillar problem but that was years ago with yahoo and I finally ended up closing my yahoo mail for the same reasons and moved to gmail. I do retain my yahoo id for messenger purposes but without email.

  1. 11  Danny Lawrence  | 5/28/2008 11:25:27 AM

    Everytime I think "You know running my own domain is a PITA", maybe I should just go with one of the big freemail services" (and I was thinking this over the weekend as I had a drive on one of my servers go bad), I read a story like this and say to myself "That's why!"

  1. 12  Craig Boudreaux  | 5/28/2008 12:34:42 PM

    It's good to know what kind of service we can expect from Yahoo. I hope this story gets passed around alot.

    The question is, does Google or other free email services deal with this type of situation any better. If not it paints a very dismal picture for free email services. @9 has it right.

    I'd worry even more about what information was in saved emails. i.e. Receipts for things bought recently, shipping addresses, possibly credit card numbers (hopefully not), passwords to other accounts. (many times they send that clear text on opening new accounts). Scary.

  1. 13  Pete McPhedran  | 5/28/2008 12:37:09 PM

    @7,

    It doesn't sound like they got any info, like MMN, hobbies, etc... They just got in and changed it. Correct me if I am wrong Ed.

    I specifically don't use any free web mail for more reasons than I can count, but on the occasions when I needed a test account, I don't recall having to give that type of info and if anyone does, I can't imagine that it is there for the taking should the account get hacked. I can see a hacked account being able to change that info without knowing it, but not being able to "read" what's already there.

    Read your contracts and terms of service people, I would think with fiascos like Enron, Arthur Anderson, Bree-X and Exodus, it would be well known that you need to know who has access to your personal information ad even more importantly, who has control of it. What recourse do you have should the service you are getting free suddenly not be available, or in this case, maliciously taken away from you.

    You still get what you pay for.

    --Pete

  1. 14  Nathan T. Freeman http://nathan.lotus911.com | 5/28/2008 1:06:29 PM

    I have 5 words for you...

    online banking forgot my password

  1. 15  Richard Schwartz http://www.poweroftheschwartz.com | 5/28/2008 2:37:05 PM

    @11, @14 -- Although I have reason to want to move off my own infrastructure, and have been relying more an more on my gmail account, this really makes me think twice about ever making any free mail service my "primary" mail system.

  1. 16  Steven  | 5/28/2008 3:06:56 PM

    @14: The really cool thing about forgetting your password is you get to see all the neat ways other's have addressed the self-service issue. There are good way and bad ways, but some times I say, I wish we could do something like that in Notes and/or iNotes.

  1. 17  Ed Brill http://www.edbrill.com | 5/28/2008 3:11:43 PM

    @16 you will in 8.5 -- if you choose to use the Notes ID vault, you'll be able to get to a self-service approach.

  1. 18  Randall Shimizu  | 5/28/2008 7:44:38 PM

    I have ATT&T U-verse. One of the irritating things is that the passwored for ATT and Yahoo will only let you use numbers and characters. They will not let you use special characters. The odd thing is that Yahoo will let you use special characters.

  1. 19  Bill Malchisky http://www.EffectiveSoftware.com | 5/29/2008 8:33:34 AM

    I had an issue with my ISP's personal e-mail account. I pay them monthly and they include an e-mail account. To resolve, I requested a restore from seven days back. They refused. I pushed for escalations over the next week, and still, the final decision was, "We do not restore end-user mail." Even though I made a compelling case with several managers and they agreed with my position, it never happened.

    Thus, I would think a free service would be less helpful here. They do keep backups for recovering an entire server, in-case of hardware failure, but avoid end-user initiated requests to keep down costs, IME.

    Good luck to your friend, Ed. Not fun. Do enable a credit freeze---with all three agencies---to protect him/herself as well.

  1. 20  Bill Malchisky http://www.EffectiveSoftware.com | 5/29/2008 8:36:19 AM

    p.s. Clark Howard might be able to help your friend. He is a consumer advocate that loves going after companies for situations like this, in addition to providing decent consumer financial advice. You can call the show, or setup a time to talk with the staff. If interested, { Link }

  1. 21  Colin  | 5/29/2008 3:23:02 PM

    Have your cake and eat it, too: Use Google Apps for your email with your own domain and manage your own DNS. If there is a REAL snafu, you prove ownership because you have control over the DNS.

    Life's too short to run infrastructure for the family. :-)

    Colin

  1. 22  Alex Wilson  | 5/30/2008 10:49:31 AM

    I had an issue with Yahoo almost a year ago. Someone in the fire station I volunteer for installed a key logger on one of the computers. They snagged my login info. They then used my account to answer personal ads on Craigslist.

    Without getting into details, I contacted Yahoo for access logs and such. The Yahoo legal department told me to send them a legal request from a judge. They would not help at all.

  1. 23  Ed Brill http://www.edbrill.com | 6/3/2008 4:56:53 PM

    Sadly, this scheme is far more common than I thought:

    { Link }

    Look at the 100+ comments!!! Wow!

  1. 24  Ellen Broughton  | 6/4/2008 11:21:32 AM

    I had something very similar happen to me a couple of years ago. In addition to getting my Yahoo account,they also got my e-Bay account. They also tried to get my paypal account too, but luckily the spammer/hacker didn't get my password so the account got locked. Both e-Bay and Paypal were great to deal with and I had things straigtened out with them in a couple of hours (I guess they want you to buy and spend money).

    Yahoo on the other hand was of no help at all. It was "if your answer doesn't match what we have, too bad". I finally gave up and got another account elsewhere. I'll never go back to Yahoo - free or not!