A Digital Mugging
Just like so many thousands of people across the world, we are targeted by cybercriminals. Sometimes though, we feel it is personally directed at us because of the work we do to expose their fraud. This past November and December was such a time. On top of co-producing the ginormous web portal, The Daily Scam, David runs the Creative Collaborative, Deutsch Creative, that specializes in digital design and publishing. In late November 2020, David’s company email account was spoofed and he didn’t find out UNTIL he suddenly started to get rejected emails by the hundreds that he never sent.
All of these emails were found to be malicious or fraudulent, including the Barclays Bank phish in this week’s phishing column above and the email below pushing Viagra pills. By the time David changed his passwords, the damage had been done, and on more than one occasion, SiteGround, David’s hosting service shut down his accounts until he was able to prove that his email address had actually been spoofed and that these hadn’t been sent out via his address. This exercise was highly taxing, especially the second time, but exactly what he had hoped would be the response from his provider. Kudos SiteGround.
But the “digital mugging” didn’t stop there.
All of David’s social media accounts were hacked. The user names of all of his accounts were changed and he couldn’t regain access to them. This hacker didn’t do anything malicious (yet) but they made it impossible for David to have access to his own sites. Instagram, Twitter, SnapChat, Facebook and who knows how many other accounts.
Some people don’t take passwords very seriously while others don't want "big brother" sniffing inside even the most mundane of what's inside their digital wallet. Sometimes however, the offer a free jelly donut can get people to drop their shields. You can go into a donut store, and in order to get a discount, you happily sign up for a donut loyalty card and lower their force fields.
We were just discussing how amusing it is that sometimes a donut store’s password is twelve digits with two special characters, a number and a dipthong, but your bank or trading account only requires a four digit PIN. It starts to make you think that there’s no reason for passwords, but the bank’s four digit PIN is often a single hurdle in a series of many to prevent entry, whereas the twelve digit donut code that pretends to have value, most likely doesn’t have any encryption, and the data is just flying unprotected through the ether. Once a hacker finds the lowest common denominator into your password/user-name, they send it out through all of social media, looking for that combination, and once in, they control you. This is one of the most important reasons not to use the same password over and over again!
In mid-December David had a series of fraudulent charges made against his personal credit card. His bank called him and said they needed to verify some charges. He asked how many charges there were? The bank’s agent said more than a dozen and asked, when was the last time he used his card. David told the agent that he had made a charge on the way to the gym that morning and then at about 2:00 pm he went to grab some coffee and his card was denied. He asked the agent when the charges were made. The agent reported that they were all interestingly logged at the same time. Multiple pizza delivery charges, some adult website charges, purchases of Apple gift cards; nothing over fifty dollars, but close to $2500 in total. After they were all stopped, the bank updated his card and issued a new number. But then new fraudulent charges appeared on the new card! He had to update his card multiple times before this craziness stopped. And it’s not just making a call, each time you do this you need to sign affidavits at the bank and everything attached to that card stops working, auto-payments, online accounts, etc. The domino effect created by this is often part of the joy the hacker gets from the chaos they create.
It gets even better.
On December 16, David was charged 7 cents for an advertisement posted on Facebook, made via his business account. Someone had clicked on the Ad. Only he hadn’t posted any ads!
Soon after, Facebook informed him that he had violated their “terms of agreement” because he had posted “inappropriate advertising.” Of course he hadn’t done any of that! When he went to sign in to Facebook, he was prompted to choose an account to go into, and that took him completely by surprise. It was then that he discovered multiple Facebook accounts had been created in his name. They had no photos, but did have his cell phone number and email address. There were also no posts, no friends, and no pictures at all. And yet, it was registered in his name.
And that’s not where it stopped. There were a half dozen “David” accounts with different pictures, but no content.
On December 26, David received additional ad notifications from Facebook that he had placed ads that did not comply with Facebook’s advertising policies. Also, very interesting was the fact that this particular ad was written in Vietnamese and titled “How to Borrow Money.” Wouldn’t you think Facebook’s artificial intelligence would notice that David neither spoke Vietnamese nor did anyone with whom he was connected via Facebook, and therefore understand that his account had been hacked? There were also ads in French. David doesn’t speak French or ever post in French for clients. This, coupled with David making every effort to report to Facebook that he had been hacked, his account abused and that he needed help.
Not only did this new account get misused, but it created a conflict with his real personal account. David said “I can’t use my old account. When people send out messages, responses, etc. I get the notification, but can’t respond to it. I have to log out of the account that doesn’t work and then log into the new account, and still I can’t see the message unless I go to the person’s site and check out what they publicly sent.” Somehow, the criminals had managed to create an account that completely confused Facebook.
David attempted to log into his Facebook account to see if this was just a one-time event or learn whether something more sinister had happened. He discovered that he was now locked out of his REAL account due to the abuse associated with his other newly named accounts. He got the message that he needed to prove his identity by uploading a license, passport or other type of identification. Of course, this felt a bit sketchy. After finally giving in and uploading his license photo he received this notice: “We Received Your Information. If we still find that you’re not old enough to be on Facebook, your account will remain disabled. This is because your account doesn’t follow our Terms of Service. We’re always looking out for the security of people on Facebook, so until then you can’t use your account.”
Old enough?? Facebook now thought that David was under the age of 13! No doubt, this trick was also perpetrated by the criminals who set up the fake account for him.
Several interesting things have come out of this attack. The first and most obvious concerns Facebook Customer Service. There is none! It turns out that when users have problems with their accounts on Facebook, there is NO ONE to communicate with. Literally no one! Even Facebook’s own “help center” (said with obvious sarcasm) tells you that there is no way to speak to a customer service representative. We feel that this monolith, centered around the concept of bringing people together in a digital social world, treats its users in the most uncivilized ways... like pieces of data and nothing more. From our perspective, this experience has confirmed that Facebook truly doesn’t care about its members. We are the products, not the customers!
There was one other thing that the hacker was doing. Every morning, David would receive two emails with 8-digit reset-codes. These numbers were obviously phony because when they were input into the Facebook "password reset" field, Facebook would respond with an error message telling him that his codes should only be 6 digits!
When David tried to reset his Facebook password, the two-factor authentication of Facebook would send him actual six-digit codes that would get past one gate, but only stopped him at the next.
It’s pretty clear that we lost this fight with cybercriminals. David said “It’s OK. It only cost me time, and I always imagined that this kind of thing would eventually happen, but on the plus side, 7 cents was credited to my account, so I've got that going for me, which is nice.” And so, for this round… The Daily Scam: “0” / Cybercriminals: “1” However, we’re still here, more dedicated than ever to reveal internet/smartphone fraud and teach people how to better protect themselves. And in a few days, David will be able to take off his bandages.
A final note… David also volunteers for Rotary International, and although these hackers were just a thorn in his paw, they damaged a number of important student scholarship fundraising events, and that’s the real crime.
Daily Scam Home Page