Account Hijacking

Recently, a Nigerian scammer gained access to my mother’s free email account. Perhaps he guessed her password, or easier still, her secret question. Masquerading as my mother (identity theft!), he then tried to get money from people in her address book (see email transcript below). Seems like an effective scam, judging by the number of people who were ready to wire the money to Nigeria! 

In any case, the scammer had completely taken over her account, and all our attempts to regain access were fruitless. Of course, the scammer had already changed the security question, so we were unable to complete the automated procedure to regain access. And what are the admins to do anyway? How does one prove rightful ownership of a hijacked account when the hijacker has gone ahead and changed all the profile information?

Long story short, you might wake up one morning, only to find that you’ve lost access to all your stored messages and online address book. I suspect that many folks don’t make local backups of their email folders because they trust the (free) online services to have reliable storage, and believe that their passwords are safe. But even the smartest of folks can have their passwords phished. A colleague of mine, a security researcher, was tricked into revealing his password by way of a link that was injected into his ongoing instant-messaging chat window! He too lost access to his email account. You can never be too safe. (Update: I too got phished in a moment of weakness. Sigh. Luckily I realized this immediately, and changed my password before I lost all access to my account).

I think we should all give this scenario a moment’s thought. What would you do if one of your online accounts was hijacked? Is there a fail-safe procedure to regain access? Personally, I’d rather stick to my university email account, because my trusty sysadmin can restore access if needed. But what if your online bank account was hijacked? Will your bank refund any money siphoned out of your account? What’s the fine print on their “money back guarantee”?


Here’s a resource by Carnegie Mellon University to get you started:

Here’s an interesting podcast about identity theft in general (The featured guest is Frank Abagnale, for those of you familiar with the film Catch Me If You Can.):

Email transcript

Please i am in a hurry writing this mail, I’m presently in  Nigeria for an Educational program and i have gotten myself stranded here please could you help me with $3,500 and i will return it as soon as i return.Please i wait to hear from you soon as to send you the information on how to send the money through Western Union or Money Gram,Please keep this between us until i return. i will like you to reply in English Because i am sending this mail from a near by city library here and it only shows mail written in English..

I wait to hear from you soon.



One Response to Account Hijacking

  1. Adelaide says:

    You really make it seem so easy with your presentation
    but I find this topic to be actually something which I think I would never understand.
    It seems too complex and extremely broad for me. I’m looking
    forward for your next post, I’ll try to get the hang of it!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: