Wednesday, July 23, 2008

Phished or cracked?

The scary part is that I just received a personal email from the person who took over my accounts last night and from whom I finally retrieved them just now.

Very Good, Lisa! You have try to get your protection, but that's useless. Anyway, this account is your property then I don't wanna have it. I just make a astonished and will make up a loss to you.
Ominous. Hannibal Lecter, anyone?

Last night I received a note from iTunes thanking me for my purchase. But I hadn't made one. So I went to the iTunes store and discovered that there had been $546 worth of purchases from my iTunes account in the past week. The first $500 was in the form of some very hefty gift certificates. I checked my bank account, and indeed there had been purchases, so I called my bank and reported it. And I reported it to Apple and changed my password.

I made a spreadsheet of the people who received the gift certificates, since I had their names and email addresses from my iTunes account record. One went by Deathemperor. Punkyusa was the one who received the biggest gift certificate, $200.

Somehow, I thought I should check my Yahoo account. Things became a blur here because they happened so quickly and confusingly. It was an unreal experience. I figured out that punkyusa was actually online and in my accounts, since I was receiving email notifications of my own account settings changing even as I logged into them myself. I found that punkyusa had made him/herself an alternate email address for my Yahoo account -- and that, for some reason, I couldn't delete that. It meant that punkyusa would receive notifications of my own password and account changes. I suspected that I hadn't received a note from iTunes for the first $500 in purchases because punkyusa was going into my account and deleting those emails.

And suddenly my Google account was no longer available to me. That was the freakiest part (well, until tonight's note). One minute I was reading an email from an ex-boyfriend, and the next I was trying to log in and couldn't get in. Punkyusa had changed my password. I imagine it was in retaliation for my, just prior to that, changing the Yahoo password and locking him/her out. It would have been a very dramatic movie with a soundtrack and quick cutting between me and punky.

My brother was on the phone, also using my logins to see how far we could get -- dividing and conquering. You'd think this whole experience would have taken like five minutes, but when you don't know what is happening it takes longer. ("Is my caps lock on? Do I know my password?") I spent a lot of time interrupting myself trying to figure out what was happening (like putting together a spreadsheet) rather than how to stop it. My natural inclination: gather more information. I googled Deathemperor and found some 2005 discussion groups where he's looking for discarded website domains on the cheap. I was up for hours.

Punkyusa has laid down his/her arms. Well, except for offering me a link to a free laptop "just for me." So not really laying down arms. But I'm not done. I know these email addresses are probably quickly used and discarded, and no one is really going to want to hunt these people down, but I am still going to report them to their domain hosts and to my bank. Punkyusa is "domain keys verified" on gmail and has sent me an actual email. Shouldn't that be enough of a trail?

1 comment:

Lisa F. said...

A note on customer service: Yahoo was great. I don't think I had much trouble figuring out how to report my problem, and they disabled my account within hours to prevent more activity from punkyusa. Google ... it was hard to figure out how to report it, and they came back the next day saying the results were inconclusive and I couldn't have my account back. I ended up filling out whatever forms I could find until they did.

It is very, very difficult to report security problems to Google, and even as I try to report punkyusa I am finding discussion groups talking about how Google has nowhere to report these issues.