NORMAN — Last week I told the story of Mary, one of my customers whose Hotmail account was hijacked by the Internet bad guys.
The bad guys were using her account to send scam emails to her friends and relatives, trying to steal as much cash as they could. One relative actually sent the crooks $2,500, thinking he was helping Mary and her family in a time of crisis.
How did the scammers hack into Mary’s Hotmail email account? Unfortunately, without a lot of extensive forensics work, there’s no way to tell exactly how they got in. Internet crooks have a big bag of tricks, some of which (including what the scammers were doing with Mary’s account) are listed on the FBI’s website at fbi.gov/scams-safety/e-scams. Let’s take a look at how the bad guys may have gained control of Mary’s account.
Social engineering: fake verification emails, fake login pages. Many people have reported receiving an email from “Hotmail Customer Care,” requesting that they login and “verify” their accounts. The emails look real and when victims click on the “verify” link, they are sent to a real-looking Hotmail login page. They are, in fact, fakes designed to harvest usernames and passwords; login on the fake page and the bad guys win.
Fake “Vote for me!” emails. You get a real-looking email from a friend asking that you “vote” for them in some online contest, like “Best Picture,” or something like that. You are asked to login to your Facebook account and vote. You click on the link, which leads to a fake-but-real-looking Facebook login page, and you dutifully type in your username and password. Because you use the same password for Facebook as you do for your email, bingo, you’re busted.