I chatted with a very persistent hacker today; and I’m worried about you

Composite from my gmail
Composite from my gmail

I received an unexpected email from a friend today with a Google doc attachment.  It was a friendly note, so friendly that I did consider clicking on it — even with about 20 years experience watching all manner of hacker tricks.  Fortunately, I stopped and asked a simple question, which is almost always enough to separate real email from phishing attacks.

“Did you mean to send me a document?”

I’ve done this 100 times, and I’ve nearly always received a, “Oh no, I must have been hacked” response. Today, however, was different. That’s why I’m nervous for you.

“Yes, I sent it myself…,” was the response I got from my friend’s email account. “Log in to view the document.”

Whoa.  Knowing my friend as I do, I could tell this was not written in her chatty style.  But outside of that language analysis and my already raised eyebrows, I might have clicked.  So I persisted.

“How is the new home?” I asked, fishing for any sense that my friend was behind the email. Again, I expected that a hacker wouldn’t bother responding. After all, in a traditional phishing attack like this, it’s likely the bad guy sent out a million of these emails, just hoping to get 100 or so people to click and cough up their login credentials.

Seconds later, I got a response.

“Nice and lovely.”

Two email responses? This was getting interesting…and concerning.  I now had a pretty strong feeling that a computer criminal was behind the keyboard, but there was still a small chance it was my friend. So I did two things. You can try these two if you think you might be talking to a criminal.

House ad 450w

1) I contacted her on Facebook, borrowing from a technique called “out of band” authentication.  I used a different tool to communicate with her to ask  if the email was real.  Mind you, it’s possible that both my friend’s gmail and Facebook accounts were hacked, and the criminal could have “passed” this test. But it it at least a good start. If I’d had more time, I would have sent her a text message from my cell phone, and waited for a reply, which would genuinely qualify as “out of band” authentication

2) I devised a question that a hacker probably couldn’t answer.

“I’m coming to visit (your new city) soon. Remind me what neighborhood are you in?”

Then, the email fell silent. Again, this isn’t a perfect strategy: a very clever criminal could have hacked into her Facebook account and replied back with her new neighborhood (which, of course, I know).  But again, I’ve climbed up the ladder of authentication pretty easily, and also not said anything too offensive.

What does that mean? Many people fall for booby traps because they are simply too polite to say, “That doesn’t sound like you!”   Criminals rely on social conventions like these to trick us.  Such a statement might actually generate a reply like, “I can’t believe you said that. I’m really offended,” or similar.  Many people fall for that. So having  polite but informed banter is a good tool for situations like this.

Those details aside, I’m writing this up to share with you something that really concerns me.  It is incredibly labor intensive for a hacker to reply to notes like mine. That says one thing to me: Someone is trying awfully hard to trick you into surrendering your login information.  So watch out.

So what was going on? I’m pretty sure it was this. Users who click on the attachment are taken to a page that looks like Google docs, but it’s not, and are tricked into logging in to a page controlled by criminals, thereby giving up their Google credentials.

This is bad because a bad guy could send out emails in your name, but really, it’s much worse than that. Millions of people use Gmail as their password recovery tool, so when hacker gains access to it, s/he can often use it to hack other accounts. For example, they go to an online banking site, click on ‘I forgot my password,’ and have a password email reset link sent to your Gmail account. The problem can spiral pretty quickly.

My friend wrote an hour later or so to say she knew nothing about the emails, and a hacker must have broken in.  She’s in full recovery mode now. If this has happened to you, here’s Google’s instructions on what to do.

Meanwhile, NEVER click on a link to an attachment you don’t expect, even if it comes from a friend. And even if that “friend” asks you to click on it several times.  On the Internet, nobody knows you’re a dog.  And you don’t know if you’re talking to a hacker, either.

Sign up for Bob Sullivan’s free email newsletter. 

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1477 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.