I was working merrily on my book projects last Monday evening when the frantic calls and text messages started coming in around 6:30 p.m. — was I okay? Was I in London? And then my computer started flashing a message: my e-mail couldn’t come in because my password was no longer valid. When I keyed in my password, sure enough, it wouldn’t work. Uh-oh, I thought: big trouble.
The gist of the alarms was that I was supposed to be in London, and that I had been mugged. Apparently, dozens of friends in my contacts list received this from “me”:
“I’m writing this with tears in my eyes, I came down here to United Kingdom for a short vacation unfortunately i was mugged at the park of the hotel where i stayed, all cash, credit card and cell were stolen off me but luckily for me i still have my passports with me.
“I’ve been to the embassy and the Police here but they’re not helping issues at all and my flight leaves in less than 3 hrs from now but am having problems settling the hotel bills and the hotel manager won’t let me leave until i settle the bills,
“I’m freaked out at the moment.”
If you answered this e-mail, like a number of addressees did, you got another message telling you to send $1,600 by Western Union to an address in Cambridge.
Now, I’m no newbie to these scams and can smell them a mile away. In fact, I’ve received messages like this, from people purporting to be my friends — the scholar Resil Mojares, the poet Jimmy Abad, and the music professor Maurie Borromeo among them. So I assumed — naively, as it turned out — that anyone receiving such a preposterous message would trash it immediately. And I have to admit to a bit of snobbery — how could anyone, I imagined, think that I would write so badly, even in the throes of despair?
As the calls and texts kept coming in, I began to seriously worry. I went online to the Apple site to reset my password — but what should’ve been a two-minute operation began to turn into a nightmare. Apple asked me for my birthday as the first and easy step in a verification process — and my birthday was wrong; tried it three times, my birthday was wrong, wrong, wrong. That’s when I knew that someone had really gone deep into the bowels of my account (I would realize yet later how deeply).
Thankfully, Apple has a toll-free Customer Support hotline for this sort of thing (it’s 1-800-1441-0234, in case you’ll ever need it). I got through to someone in Singapore, who set me up for an online chat with her Indian supervisor. Over the next 20 minutes or so, she asked me all kinds of questions to verify my identity (I won’t reveal what questions, but let me suggest that you keep a record of every transaction you’ve ever had with Apple). When she was satisfied that I was who I said I was, she reset my password, and I was back in.
That wasn’t the end of it. First, I realized that my Yahoo account had also been hacked, although this was a bit easier to reset. The hacker probably knew or expected that my requests for password changes and such would be mirrored in Yahoo, so was also waiting for them there. My Gmail account had been hacked as well. (I keep all these accounts for different reasons — the Mac is for business and friends, the Yahoo is for my Penman mail, and the Gmail is my digital “dump,” where I stash away copies of works in progress.)
Using yet another account (it pays to have some backdoors), I sent test e-mails to my Mac (MobileMe) and Yahoo accounts; none were going through. I could send out mail, but no messages were coming in, so they were obviously being diverted elsewhere. I looked further into my Yahoo and Gmail, and saw that the hacker had set up mail forwarding to a fictitious address (jdallisay@yahoo.com—the two LL’s were a giveaway). It was easier to spot in Yahoo and Gmail, but MobileMe annoyingly buries that forwarding command in an interface you can only access online, not within the Mail application itself. Thankfully, my friends in the Philippine Macintosh Users Group, who were eagerly following this saga, walked me through the process, and I was able to root out the traps that the hacker had left in place.
It was nearly 5 a.m. when I got done replacing all my passwords, upgrading my security, and mopping up the mess. I was exhausted, but it was an educational and even, in some ways, an amusing experience. I didn’t mean for it to be any kind of loyalty check — my more Internet-savvy friends sniffed out the scam right away and texted me to say that I’d been hacked — but I was genuinely touched, if somewhat bewildered, by the kindness and sweetness of some others who called me directly or found some other way to ask if they could help. I only pray that no one cared for me too much to send $1,600 to Cambridge by Western Union without so much as asking Beng if I was, indeed, in England.
On my blog — at the quick-thinking suggestion of my daughter Demi, who woke up to the message in California — I put up a notice announcing the attack. “Don’t send any money to the UK!,” I implored my readers. “I love you all and appreciate your concern — and I dearly love London and am always in need of money — but that’s not me. Send it to me!”
My sister Elaine, in Virginia, actually assumed the role of a “scambaiter” and led the guy on in a hilarious e-mail exchange you can read on my blog. Another friend said, “I saw a typo and knew right away it couldn’t be you.” Yet another friend said, in so many words, “I haven’t heard from you in months, and this is how you say hello?” But I have to give the Most Impressive Response Award to a well-connected friend who texted: “Do you need help? I have friends in Scotland Yard.” How good to know, if ever!
So how, exactly, had I been hacked? My Philmug friends and I came up with some theories. It couldn’t have been from “phishing” — giving out your password online because “Yahoo verification needs it” or “Citibank is updating its records,” for example — because I’m too familiar with these scams. The likely culprit is what’s known as sidejacking — stealing your password on the air as you type away at Starbucks. (If you want to see how it works, check this out: http://www.youtube.com/watch?v=nFNFa-48lpI” http://www.youtube.com/watch?v=nFNFa-48lpI).
It’s a scary world out there, folks—so scary it could put tears in your eyes!
* * *
E-mail me at penmanila@yahoo.com and visit my blog at www.penmanila.net.