Friday, January 7, 2011

How I lost my Hotmail account to Nigerian spammers and exacted my revenge

Part 1: Theft

I wake up to a barrage of emails, Facebook posts and text messages telling me that my email account has been hijacked.  Turns out someone somehow got control over my ancient Hotmail account, created over 10 years ago and rarely, if ever, accessed in the past few years.

Here's the email that went out to (I'm assuming) every contact:

From: xxx <xxx@hotmail.com>
Date: Mon, 20 Dec 2010 11:46:43 +0000
Subject: Family Trip!!!

Hi,

Just writing to let you know our trip to London, England has been a mess. I was having a great time until last night when we  got mugged and lost all my cash,credit card cellphone It has been a scary experience, I was hit at the back of my neck with a  club. Anyway...... I'm still alive and that's whats important. I'm financially strapped right now and need your help. I need  you to loan me some $$, I'll refund it to you as soon as i arrive home.Write me back so i can tell you how to get it to me.

Love.
xxx

I'm thankful that the hacked account is my old Hotmail account, and not my primary email.  Still, I'm worried that I may have set up email forwarding to my main email address and that this could have led the hackers into my active email.  I check the primary email and everything seems to be kosher:  I can sign in and there are no signs of suspicious activity.

Next, I head over to Hotmail.  I still have no idea how these people got into my account.  I don't use this email anymore; it's not like I'm trolling the internet and using it on sketchy websites.  My password, while not full of capital letters and numbers, was not an actual word; I seriously doubt someone could just guess it.

Not surprisingly, my Hotmail sign in doesn't work.  Looks like they've changed the password.  I try password recovery, but it appears that they've changed the secondary email verification addresses as well; there's no way to get control of my account without getting Microsoft involved.  Joy.



I quickly get lost in the morass of Microsoft's various web presences.  What the fuck is the difference between Hotmail and Live and Microsoft and why does this process jump me between the various sites?  Every page looks like it was generated by some content management system from hell.  Does anyone actually read these pages and verify that links work and direct people to the appropriate locations?  I get stuck in an endless loop where I keep getting asked for the answer to me "secret question" (which has been changed by the spammer) and then, when I say that I don't know it, I'm kicked back to the password recovery screen where it then asks me to answer my secret question.  Aaaaargh!

I'm finally able to locate the section for filing a claim to recover my email address.  I'm given a PIN and the site creates a private "support forum" where I can dialogue with Windows Live support staff.  I have to answer a ton of questions to verify that I am the rightful owner of the email account.  I'm asked (again) for the answer to my secret question.  Clicking the link that says "Answer your secret question" just kicks me back to the password reset screen again.  Nice move, Microsoft. Many of the questions ask me about account details like the names of my Hotmail folders and the subject lines of my email messages that I can't answer without being able to access my email.


Regardless, I do the best I can and send the information off into the ether.  I'm not hopeful that Microsoft will be quick to respond, but I hope that they'll at least lock down the account while we work out the details.

Part 2: Apologies

Time to try to respond to the messages from everyone that's been spammed from my account.  The Hotmail account was so old I'm not even sure who received the messages.  Probably everyone from grad school, which means most of the faculty I studied with and worked for at the University of Washington.  Also everyone from my previous jobs in New York.  Luckily, nearly everyone in the internet industry has been laid off or had their companies acquired so many times their original work addresses are no longer functioning.

Still, I can't hope to send out warnings about the spam to everyone.  I send replies to everyone that emailed me and post a warning on Facebook.




Part 3: Revenge


While I wait for Microsoft to lock down the account, I decide to see who's on the other end of this scam.  I create a fake Gmail account and send an email to my Hotmail address, posing as my "aunt" Mary Ann Anderson.

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date:
Mon, Dec 20, 2010 at 10:15 AM
Subject:  Re: Family Trip!!!

Oh my goodness!  I am so sorry to hear that this has happened!  I hope everyone is ok.  If you still need some help, please do let me know and I will check with Marvin to see if we can take out some money for you.

You are in my prayers!

Mary Ann
I send the email at 10:15 am.  A response arrives at 10:26 (!).  These people move fast.


From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Mon, Dec 20, 2010 at 10:26 AM
Subject:  Urgent Response Needed


Am glad  you replied back i still have my life and passport because it would have been worst if they made away with my passport.I have reported to the Police and have also contacted the Embassy but am afraid at this time there is noting they can do.well all I need is just $1,980 and you can have it wired to me via Western Union MoneyTransfer from any nearby western union  outlet. Here's my info below

Name: (redacted)
Location: 7 Albemarle Street, London W1S 4HQ,United Kingdom

As soon as its done, kindly get back to me with the  confirmation number and let me know if you are heading to the WU outlet now?I promise to refund back your cash as soon as am back home.Please i don't want to make a scene of this,i want you to keep it that way and keep this to yourself.I will brief in full as soon as i get home..

Thanks


Clearly, this wasn't written by the person who sent the first email.  The first email was coherent and well-written while this one is a mess.  Maybe they're deliberately trying to appear confused, perhaps a side effect of being "hit in the back of the neck with a club".  I love that they've chosen $1980.00 as the amount.  Not $2000, not $1950.  Is that supposed to make it sound more legit?  I also like the request to not "make a scene" of this and to keep it to myself.

This is going to be fun.  Before I send anything else, I need to flesh out this Mary Ann character.  I go to Google Maps and randomly pick a location: Nebraska.  Knowing that any exchange with the spammer is going to involve Western Union, I search for branches.


View Larger Map

Looks like Mary Ann lives in the Grand Island, Nebraska, area. Maybe somewhere like Broken Bow. Yea, that sounds good.

I lob a response back to the spammer:

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 10:36 AM
Subject:  Re: Urgent Response Needed

Well, I'm happy you at least still have your passport!  Let me see where our nearest Western Union is.  I've never wired money before, so I don't know where to go.  I think there might be one near Aunt Betsy's house in Comstock.  Do you remember seeing one there when you visited her for Thanksgiving?

MA

Again, it takes less than 15 minutes for a response:

From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Mon, Dec 20, 2010 at 10:58 AM
Subject:  Western Union Info Needed
At the moment am mentally unbalance as I have limited time..I will brief in full as soon as I get home,once you have the money wired kindly get back with me the confirmation control number and the full details cos that's is what I will be needing in picking up the money with my passport...

Hoping too hear from you soon

Love,




Part 4: Some sleuthing...



I really want to find out how this scam operates.  I have a London address from the first email with the Western Union wiring instructions: 7 Albemarle Street, London W1S 4HQ,United Kingdom

Here's that location:


View Larger Map

And in Street View:


View Larger Map

Marlborough... looks like a gallery. And the door to the right is labeled Scandia House. Some Googling turns up the fact that these are located at 6 Albermarle Street, not #7. Google has the view backwards; we should be looking at the other side of the street, at this:


View Larger Map

The Post Office. Ok, this makes more sense. Probably an anonymous PO box. So there's a UK component to this operation... I have no idea how Western Union wiring works, but I guess you have to register an address to get the money.

But where is this money eventually ending up? I do some digging in the email headers from the hijacked account and turn up an originating IP address: 41.155.83.99.  A quick search turns up this information. Looks like we're dealing with the proverbial Nigerian scammers, operating from somewhere near Kachia, Nigeria:


View Larger Map



View Larger Map

Not a whole lot going on in Kachia, but someone apparently has a computer with an internet connection and a rudimentary grasp of grammar.


Part 5: Let the games begin


Now that I know more about who I'm dealing with, I can dial up the fun factor:
From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 11:06 AM
Subject:  Re: Western Union Info Needed

Oh my! Honey, it sounds like you need medical attention! Where are you staying? I talked to your mother and she didn't even know you were going to London this month!

Let me call my friend at the State Department in Washington DC. You remember Marjorie, don't you? She'll be able to get you some help and a loan. I know the government does that for citizens who are stranded abroad. It will probably be faster than me driving all the way to St Paul to wire the funds. Just tell me where you're staying; I tried calling your phone, but you're not picking up for some reason. Is that address you sent a hotel? Hurry and let me know. I am so worried.

MA

Again, a response arrives almost immediately:

From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Mon, Dec 20, 2010 at 11:11 AM
Subject:  Western Union Info Needed

Omg!!! just go ahead and have the money wired,please i will pay back your money as soon as I get home don't worry am fine...
Love

Seems like the messages are now being written by a 15-year old.  "OMG"?  Does the spammer really think I would say that to my aunt?  My aunt who is clearly worried about my health and well-being?  These guys are getting sloppy.  I take it up a notch to see if I can elicit any kind of emotional response (or decent writing):

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 11:17 AM
Subject:  Re: Western Union Info Needed

Ok, well your uncle is near St Paul for his doctor's appointment.  I'll call your cousin and see if he is strong enough to stop at Western Union and get some money to you.  You know how weak your uncle has been since they did the transplant.  I do hope you'll be alright.  You know that this money was to pay for the new roof on our home.  The leaks are terrible and now that it's winter I'm afraid we'll lose the roof entirely if we can't get it fixed soon.  If we lost the home I'm sure it would kill your uncle.  You are in my prayers as always.

MA

... and here comes the sympathetic response from Nigeria:

From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Mon, Dec 20, 2010 at 11:28 AM
Subject:  Western Union Info Needed

OK thanks,once the money is wired kindly get back with the confirmation control and the full sender's name they used in sending the money..
Many thanks


Not that I expected someone who scams money from the Internet-naive to really care about some sick Nebraskan, but how do these people sleep at night?  I try again and to see if I can get some emotion to register, even if it's faked sympathy.
From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 11:55 AM
Subject:  Re: Western Union Info Needed

The person at the office is telling your uncle that they need something called a "billling account number" to send you money using quick collect.  Let me buy you the plane ticket home and we can get it all sorted out when you're back home with us for Christmas.  You know that your Great Grandmother Clareece wants to see you before she passes and I'm not sure she'll make it to New Years.  I talked to my friend Mabel, the travel agent, and she can have you on an overnight flight back home tomorrow.  She just needs the address to deliver the ticket.  Send it to me, please, honey.

The reply:


From: xxx@hotmail.com
To:   Mary Ann Anderson
Date: Mon, Dec 20, 2010 at 12:15 PM
Subject:  OMG!!

You're not helping matters Just want to sort out dome bills.All i want from you is to have the money to me Via Western Union..the fastest and safest way of getting money to me is via western union..

Love

You know, if these people really wanted the money, wouldn't you think they'd play along?  Say "I'm so sorry to hear about Great Grandma Clareece.  This is killing me having to ask for money at such a hard time, blah blah blah".... Wouldn't that really take the scam to the next level?  I mean, I'm feeding this guy all the info.  All he has to do is take my cues and run with them.  Maybe I should get into spamming.  I think I'd make a killing.

I try to force his hand a bit by inventing an actual London connection for me.  Time to create another character in this saga:  my colleague, Randy.  If there is some point person on their end in London, maybe I can lead him on a goose chase, although I seriously doubt they'd show up anywhere I tell them to go:


From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 1:27 PM
Subject:  Re: OMG!!

It isn't like you to be this rude.  I'm worried about you.  I'm going to call your office and have Randy meet you and give you the money in person.  He's going to meet you at the Noodle Oodle outside the Tottenham Court tube station.  I know that's one of your favorite places to meet Randy when you're in London.  Be there in one hour and he'll have some money and my plane ticket for you.

Love
MA

Yes, Noodle Oodle is a real place.


From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Mon, Dec 20, 2010 at 1:32 PM
Subject:  NO MORE NEEDING YOUR HELP....

Are you willing to help me or not???? you're not helping issue at all all i want from you is to help me in sending the money Via western union...If you not willing just let me know cos i have limited time..

Regards

Yea, the rudeness is really gonna get me to send you $2000.  I like the use of "cos".  Do they not know that American's don't say that?  Sloppy scammers.   Do your research before launching an international fraud operation, assholes.

Part 6: Spammers 1, Microsoft 0

Meanwhile, Microsoft gets around to reviewing my submitted info and decides that it's not enough to do anything.


Great, so they ask me to provide the very same info that I couldn't provide the first time around.  I send a reply:


I do some digging through some email archives and find some emails from the Hotmail account.  I submit those to Microsoft and hope they're enough to at least get them to freeze the account.


Part 7: The trail goes cold

Meanwhile, I send off another email to Nigeria.
From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 2:25 PM
Subject:  Re: NO MORE NEEDING YOUR HELP....

I'm on the phone with Randy right now.  He's at Noodles Oodles waiting for you.  Where are you?  He has collected $3,500 from us and your colleagues to help you out and has my plane ticket for you.  You're booked on United Airlines, flying London to Omaha via NYC tomorrow afternoon.  Let's get you home for Christmas and put this whole disaster behind us!  God bless!

MA


No response.  I send another:

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 3:00 PM
Subject:  Re: NO MORE NEEDING YOUR HELP....

Randy called to say that you didn't show up at the noodle shop.  What's going on, honey?  This isn't like you at all.  You're usually the most reliable person.  What do you want us to do?  We want you home for Christmas.  I can drive over to St Paul and talk to the Western Union guy, but he said he needed a billing account number.  Can you give that to me?

All my love
MA

Still nothing.  It's night in Nigeria though, so perhaps they're sleeping.  Or scamming people somewhere else.  I send another message off before bed.


From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Mon, Dec 20, 2010 at 9:21 PM
Subject:  Re: NO MORE NEEDING YOUR HELP....

Honey, it's getting late and I've got to go to bed before my second shift at Home Depot.  I talked to Marvin and he said he was feeling well enough to drive to St Paul tomorrow and wire you the money.  I just need the info again.  I don't know how to work this new email they set me up with at the elderly services center.  We all love you.

Auntie MA

Part 8: Back in business!

Morning brings a new email from my blunt-trauma'd alter ego in London/Nigeria.

From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Tue, Dec 21, 2010 at 8:14 AM
Subject:  Western Union Details Needed

This is all you need in sending the money via western union
Receivers Name:  <redacted>
Location: 7 Albemarle Street, London W1S 4HQ,United Kingdom
Await to hear from you

Regards
It's all business now.  No exclamation points, no frustration.  Just send the goddamn money.

I try again to get some kind of response.  Sympathy, rage, anything.

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Tue, Dec 21, 2010 at 2:21 PM
Subject:  Re: Western Union Details Needed


What is this place?  It's not where you usually stay in London.  It's actually a shop of some kind.  Why are you having the money sent there?  Your uncle is driving to St Paul to the Western Union, but I need to know that you're ok and that someone isn't making you do this.  I don't understand why you didn't show up to pick up the plane ticket.  You have me worried sick and I can feel one of my spells coming on again.  You know when your sister went through that lesbian phase I ended up in the hospital with palpitations.  Please don't be doing that to me again.

Your uncle should be at the Western Union shortly.  I am praying for you, honey.

MA
And a bit of an emotional response arrives.  Am I getting through?  Is he starting to feel at least a bit guilty in that cesspool of a conscience?

From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Tue, Dec 21, 2010 at 2:39 PM
Subject:  Western Union Details Needed

Am OK..I will brief you in full as soon as I get home hopefully..Once he have the money wired kindly email me the confirmation control number...

Love

I'm actually loving that I'm having a nearly real-time conversation with an internet scammer located probably somewhere in rural Africa.  Gotta love the interwebs.

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Tue, Dec 21, 2010 at 2:45 PM
Subject:  Re: Western Union Details Needed


I have your Uncle Marvin on the phone right now from St Paul.  He says that the Western Union agent told him that 7 Albermarle Street isn't a valid Western Union address.  Are you sure that it's the right location?  He's sending $4,500.00 to be on the safe side since plane tickets are so gosh darned expensive these days.


I was hoping that dangling an actual dollar amount (significantly more than what was requested) would get something going.  Instead I get another coldly clinical response:


From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Tue, Dec 21, 2010 at 3:42 PM
Subject:  MTCN# NEEDED!!!

Thanks for you response,the Address i sent to you is a valid address and a nearby western union location over here..

Keep me posted with the confirmation control number and the full details which you used in sending the money

Love

I sense that they know they're getting nowhere with me.  I decide to do a little digging online to see what a Western Union confirmation control number looks like.  I can't find much information, so I string him along and elaborate on my sob story.


From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Tue, Dec 21, 2010 at 6:59 PM
Subject:  Re: MTCN# NEEDED!!!


Well, I'm sure I don't understand what's going on, honey.  We tried to wire the money to you, $4500, but the agent said he needed a passport verification number and something called a FPCC number first.  I don't know what this is, your uncle was at the Western Union, but got real real sick and had to go to the hospital again.  I think he's just so afraid that you're stuck over there it was too much for his heart.  He's not doing so well now.  I'm praying to God that he doesn't die before you get home to say goodbye.  If you were to miss seeing your Uncle Marvin and Great Grandma Clareece because you got stuck over there, well I just don't know.

Send me your passport number and the FPCC number and I'll give it to the Western Union man as soon as they open up tomorrow.

All my expansive and encompassing love,
MA

Part 9: Fin

And everything goes dark again, this time for several days.  Maybe Microsoft has finally gotten around to freezing my account.  I send one last message out to test the waters.

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Thu, Dec 23, 2010 at 2:43 PM
Subject:  Re: MTCN# NEEDED!!!


Honey, we haven't heard anything from you for days now.  What's going on?  Do you want us to wire the money?  Your uncle is still in the hospital, but my nurse agreed to drive me over to St Paul with the $4500.  Please call me on my cell phone or email right away.  Christmas is almost here and we want to get you home!!!


...and, lo and behold:


From: xxx@hotmail.com
To:   Mary Ann Anderson
Date:
Fri, Dec 24, 2010 at 1:18 AM
Subject:  WESTERN UNION DETAILS NEEDED!!!!MISSED FLIGHT


You're not helping metters at all,just have the money wired to me Via Western Union.once you're done with the western union transfer kindly email me the confirmation control number..

Love
Again, very sloppy stuff.  What flight is he referring to?  These people need someone to keep track of the internal consistency of their story.

And, while we're at it, thanks for nothing, Microsoft.  Nigerian scammers have had control of my email account for FOUR days.  A simple look at the activity on the account (changed password, changed verification secondary email addresses, loads of email traffic outbound, contact exported, etc etc) would surely register as suspicious enough to at least lock the account temporarily.  Thank god I've moved everything to Gmail.

Anyway, I'm finally able to locate a sample Western Union confirmation number from a slideshow online.  I send it off and hope that we can get this conversation going again:

From: Mary Ann Anderson
To:   xxx@hotmail.com
Date: Fri, Dec 24, 2010 at 3:14 PM
Subject:  Re: WESTERN UNION DETAILS NEEDED!!!!MISSED FLIGHT


Which flight did you miss?  The one I booked for you?  How did you get the ticket?

I went to Western Union.  The confirmation number for the money is 349A350989-B405894.  Honey, I hope you get home in time to see us!!!

MA

Sadly, this is the end of the email exchange with my spammer.  Nothing else arrives and I decide to let it go and wait for Microsoft to do something.

Finally, on January 6th, SEVENTEEN DAYS after losing my account, Microsoft gives it back to me:


I change my password, then have to change it again immediately for no apparent reason because Microsoft apparently does no quality control on their website and just randomly redirects people to random pages.  I finally get back into my Hotmail account and discover that all my contacts have been exported and deleted, that all email was being forwarded to a Yahoo address (probably also stolen) and that the password verification secondary email addresses were set to (again, probably stolen) Hotmail and Yahoo addresses.

I petition to close the account and hope that no one tries to steal it again in the 30-day window before it's deactivated and deleted.

At the end of the day, I suppose that I was barely a blip on these scammers' radars.  I'm sure they're sending out millions of these emails every day using thousands of hacked accounts.  Still, I can't help but wonder: if everyone that received emails from my hacked account would try to engage the spammers like I did, would they be so overwhelmed with reverse-spam that they would be forced to stop?  If every hacked account led to 200, 500, 1000 return emails, slowly leading them along, requiring days of interaction and eventually leading to a dead end... would they finally throw up their hands and get out of the business?