"My Plight" - My Gmail Was Hacked, And I'm Not Alone!
The "With Tears in My Eyes" Scam Email
[9.17.10 8:13 AM] "My Plight": The Gmail hackers got me! They've hijacked my Gmail account, blocked me out, and sent scam emails to all my contacts. The email's subject was "My Plight." It claimed I'd been mugged and needed cash.
The hackers changed my security info, password, and secondary account. They set up a bogus yahoo account which appears as the "reply-to" on scam messages. Ten minutes after the first scam emails went out, I couldn't log in. I fought "Gmail's Account Recovery Form" for days, but I did get my account back... most of it, anyway.
I'm lucky. My Gmail contacts list was wiped, but at least my email wasn't erased. Many victims of this Gmail attack lose all their email, too.
If you've got a Gmail account, read on to learn how to protect it. If your Gmail was hacked, read on for how to recover and re-secure it!
The "My Plight" Email Sent to My Gmail Contacts
They sent it to my secondary account, too
I'm writing this with tears in my eyes,my family and I came down here to London, United Kingdom for a short vacation.unfortunately,we were mugged at the park of the hotel where we stayed,all cash and credit card were stolen off us but luckily for us we still have our passports with us.
We've been to the Embassy and the Police here but they're not helping issues at all and our flight leaves in few hours from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills. Well I really need your financially assistance..Please, let me know if you can help us out?
Am freaked out at the moment!!
[My name].
--
"I'm supposed to cut back on dangling participles, and I'm not allowed to split any infinitives for at least another week." ~ radio announcer Vin Scully after minor accident
Nice of them to keep my signature about bad grammar while inflicting it on all my friends.
How To Secure Your Gmail
1. Follow the steps here: How to Protect Your Gmail Account.
2. encrypt your Gmail.
3. Follow Google's instructions on how to secure your Gmail.
4. Download your contact list! Also note the date you opened your account.
Other Gmail Hacking Victims - Reports around the Blogosphere...
Wow. Apparently this "tears in my eyes" scam is everywhere. (See also Gmail's Suspicious emails forum, inundated with hacking victims' pleas for help when I last looked.)
- Nov 23 2009: India Consumer Complaints website
The earliest report I've found so far of this "My Plight / I'm writing you with tears in my eyes" scam. - Mar 24 2010: Gmail Hacked | ankur Warikoo
This one has a happy ending: apparently his account was NOT wiped out. - Mar 28 2010: The 'With tears in my eyes' e-mail - CNN
A CNN reporter is nearly taken in by the "My Plight" email from an old friend. - Apr 15 2010: CA Security Advisor Blog
A blog on internet security threats reports on the "My Plight" email. - May 11 2010: Tears in my eyes - GMANews.TV - Butch Dalisay
A Phillipine news blogger gets his Apple Mail, Yahoo, Mobile Me and GMail hacked by the "My Plight" scam. - June 10 2010: Bill Mullins' "Tech Thoughts" Weblog
A prominent tech blogger and seasoned internet veteran gets hacked, traces this scam to Nigeria. - Jul 9 2010: Real Estate Blogger Judith Knutson
Realtor gets hacked, claims that Facebook may be one backdoor these hackers are using. - July 17 2010 - Maddy's Harrowing Hacker Day
Electrical engineer Maddy tells a gripping account of his run-in with the Gmail Hackers. - Sep 7 2010: Paul Chong can't get Gmail back after being hacked
He thought he was safe on an iMac. He thought wrong. Account Recovery denied. - Jun 21 2010: "Hacked!" - Women's Voices for Change.org
Contributor Shelley Singer, another hacking victim, writes an insightful article on how this scam reflects on us.
Email Safety Tip
Create a secret email address you use only with online banking and/or to access credit card accounts online.
If you post on news sites, blogs, or discussion forums that require an email address, create an "expendable" email address for this purpose. Hackers harvest addresses from these sites.
If You've Had Gmail Hacked
1. Fill out the Gmail Account Recovery form.
2. If and when you get in, follow Google's suggestions for securing your account.
Yes, I Take Security Seriously - And I was still hacked.
I've been using email since 1989, before the internet was even the internet. I have never before fallen afoul of phishing, hacking or malware (knock wood). Many people are blaming the following for this rash of Gmail hacking, but I do not...
- Use a weak password. I use alphanumeric passwords written in an invented language and/or several dead languages (inflected).
- Use a Smartphone app. I do not have a Smartphone.
- Connect to the internet from public computers like libraries and internet cafes, or from public wifi networks. I connect inside my own home.
- Access mail through Internet Explorer, Outlook, or a browser with extensions (Many hackers create legitimate-looking extensions that track your activities, infect or snoop on your computer.)
- Share a computer. Nope. Just me and the cat.
- Use poor computer security. Mac OSX has a pretty strong firewall. My home network is password-protected and encrypted (I ain't saying how), and my ISP provides minimal firewall protection as well.
How Did the Hackers Get In?
I don't know for sure, but this is a big no-no:
I hate having to write down passwords, so once I come up with a really weird one, I keep it. I had actually forgotten this password, I'd had it so long: it was on my computer's keychain!
So CHANGE PASSWORDS OFTEN. (Also, never use the same password for different accounts.)
3 Days and 2 Account Recovery Forms Later
Ack, I do NOT remember the month/day/year I opened my account!
Here's Google's reply to me.
Thank you for your report. We've completed our investigation and cannot
return your account at this time. We were unable to verify that you own
this account based on the information you provided.
If you can provide additional information to verify that you own this
account, please visit
http://www.google.com/support/accounts/bin/request... and submit
another report. Whether we can return access to this account depends on
the strength and accuracy of your responses, so be sure to provide as much
information as possible. If you're unsure about specific dates or
information, provide your best guess.
To create a new account, please visit
https://www.google.com/accounts/NewAccount
We apologize for any inconvenience and appreciate your cooperation and
understanding.
FINALLY! I've Gotten My Account Back!
Google's Left Hand, I'd Like To Introduce You to Right Hand
[9.19.10 late afternoon] When I returned to the Account Recovery Options page to fill out the form again, I noticed that my "secondary email" was no longer the hacker's bogus account (partially starred out). It looked like it might be the email I had used for the Account Recovery Form. So I tried it. YES!
I logged in and found my contacts list erased, but NOT my email. I quickly did what Google suggests to secure your account after hacking. And then I downloaded years of Gmail to Apple mail, which is not easy.
Google Is Reacting to Hackers - This is good to see...
I caught this on the Twitter search above. It looks like Google is battening the hatches.
IDEA: Set Up a "Hidden Mastermind" Account
Create an invisible Gmail account to manage your email
Your email address is how people know you, so you have to share it. However, it's also the way YOU log in and organize all your mail and personal data. So here's something I've created as an extra layer of securty (besides downloading all mail offline). I've set up what I call a "Hidden Mastermind" account.
How to Set Up a "Hidden Mastermind"
1. Create an email account with a VERY secure password which you change all the time.
2. Import your mail to the master account.
3. Under "Check Mail," add all your working email accounts that people know you by. So the master will now collate mail from those accounts.
4. Always send email messages from a "known" public address -- one of those people know you by -- and never by the mastermind. In Gmail, you can set a default "Send Mail As," address.
5. Set Gmail to reply with the email address a message was sent to.
6. NEVER use your mastermind address as part of a user profile or login info on any site, from your bank to Facebook (which has so many security holes it's scary).
A "hidden mastermind" account won't stop keylogging, hackers intercepting connections from Smartphones or public access points, or sophisticated Gmail Crackers. But at least it will be invisible to the majority of hackers, who are targeting email addresses they find on website profiles, forums and Facebook.
Google Responds
The rash of hacking over the weekend has reached Google's attention. I confess, one reason I made this page was to help the news go viral so they'd do something. Sorry, Google.
Anyway, Google is now going to unroll optional two-factor authentication. I think this is a good idea, provided it doesn't make it harder to get your account back.
The Bottom Line
You Get What You Pay For
Gmail is a free service. it's got useful features, but it's automated. If anything happens, you won't get much help.
So if you're depending on email for business, I am not sure Gmail is the safest choice. Email with a service provider that offers 24/7 tech support may be better. Look for ISPs and webhosts that include backup and data recovery, just in case a successful hacking attempt erases or screws up your blog, website, or email.
Have you had your Gmail hacked? Did you get your account back, or are you still waiting? Were your contacts and email wiped? Share your story below! And yes, you MAY post anonymously; just no spam or scams, please!
© 2010 Ellen Brundige