April 3, 2010
Your friend is freaked out at the moment
Subject: my predicament
From: [your friend's full first and last name] <[your friend's
I'm writing this with tears in my eyes,sorry I did not inform
you about our trip.We actually made a quick travel to London
and unfortunately attacked and mugged at gun point on the
way to our hotel,all cash,credit card and cell phone were
taken away from us but luckily we still have our passport
We`ve been to the embassy and the Police
here but they're not helping issues at all and our return
flight leaves anytime from now but we`re having problems settling
the hotel bills and the hotel manager won't let us leave until
we settle the bills.
Am freaked out at the moment.
[your friend's first name]
That email might get anyone "freaked out."
And if you know how to read email headers, you would see it came
from a mailserver called "bay0-omc3-s5.bay0.hotmail.com [188.8.131.52],"
showing it really came from a Microsoft sevice like msn.com, hotmail.com,
or live.com. In fact, it really did come from her email account,
and it was sent to people in her address book. Unlike spams that
spoof the recipient's name in the "from" field, it used
her real name, which is not the same as her username. Her friends'
email filters probably all marked it as "not spam" and
let it through. There was no indication of how many people it was
sent to: Instead of having the recipient's name and email address
in the "to," it came as a blind carbon copy (bcc).
Hopefully, none of her friends would be fooled
by this. This particular woman wouldn't easily be "freaked
out" enough to lapse into such horrendous grammar.
In this case, the victim believes her computer
was infected by a trojan that accessed her email account. After
sending this message, it proceeded to erase her address book, making
it difficult to warn her contacts once she was alerted to what had
Another common ploy would be to simply guess someone's
email account password and take over her account. The scammers can
change the account's password, backup email address, and challenge
question. The real owner is locked out and can't easily regain access.
The criminals can then proceed with sending the email and erasing
the address book.
The email did not give any way to contact the
scammer except by responding to the friend's real email address,
and it did not directly ask for money or give instructions for how
to send it. Someone who responded to it would have had to make direct
contact with the criminal and have a further exchange of emails.
The criminal needed to continue to have control of the email account
in order to receive the replies and to impersonate the friend. It
is very similar to a 419 scam, but it takes advantage of people's
willingness to help friends/relatives in trouble, rather than taking
advantage of greedy people's desire to acquire large sums of money
that doesn't belong to them.
A lot of people are being hit with this. Someone
who took the step of contacting the criminal got this reply and
posted it on a forum:
| I am very glad to read
from you, Im good, just mentally bad due to the hotel
bills and other bills.Honestly,I wound have love to call but
I have no access to a cell nor even a cent for a payphone. All
I need now is $2,000 but anything you wired will be appreciated,
You can get it wire to my name via Western union so that i can
use my passport for verification here at western union outlet
This is the details you need at western
union location below -
Name - XXX
Location - 30 Leicester Square London United
Kingdom WC2H 7LA
Kindly email me the transfer details as soon
as you have it done I will definitely refund it back once
we get home tomorrow.
That means the criminal has a fake ID in the victim's
name, too. They aren't asking for the Western Union office to require
any secret words, as might be used when wiring money to someone
who doesn't want to reveal his real name. Other people have reported
their cell phone accounts were even changed to prevent incoming
calls. There's a long description in
a column by Bob Greene.
A similar scam was used against some members of
the British Parliament recently. But no one is immune. You don't
have to be famous for your email account and identity to be valuable
to scammers. And you don't have to be careless or clueless to get
How do you protect yourself? Some general safety
* Don't use Internet Explorer for your web browser. Internet
Explorer 6 is very bad (though many businesses haven't upgraded
their own systems to work with anything more recent), but
even IE8 allows ActiveX controls that give websites way
too much control over your computer. Some websites won't
work with anything else, and you have to consider how much
you need to use those websites and how much you trust them.
Remember that even good websites can get hacked. The websites
of antivirus companies have even been hacked, and at least
one was infecting visitors with trojans for a long period
fo time. So it's not just a case of careless, uninformed
webmasters getting burned. Firefox
is a free and easy to use alternative to IE. It doesn't
* Consider not using a Windows operating system. Microsoft
has the largest market share, so most trojans are written
to run on it. Other operating systems also aren't as promiscuous
as Windows, which allows random software to alter system
files. If your computer is running MacIntosh or Linux, you
can download most trojans and still not be harmed, because
the trojans can only run on Windows.
websites. The easiest way to do that if you use Firefox
is to install the Noscript
add-on. That allows you to evaluate the site and easily
want it to be permanent or temporary. You can even allow
it for the main site and not for the ads. (Remember that
ads on websites are often supplied by third party companies
and vary from day to day, without the site owner having
the ability to screen them. Criminals have managed to get
dangerous content in the ads on otherwise safe websites.)
* Be highly suspicious about anything that arrives in email
and asks you to provide any kind of information. Paypal,
your bank, your email provider, your credit card company,
your cell phone company, your airline, etc., are not going
to send an email asking you to give them your password.
They aren't going to ask you to provide information they
already know. And if they need you to log in, they will
tell you to go to their main website, not give you a link
to follow, except to confirm an action you already initiated.
* Be suspicious of email attachments. Unfortunately, an
increasing number of business users will send emails where
the entire message is in the attachment, apparently thinking
it will be taken more seriously if it is formatted as a
.doc or .pdf file. But criminals can disguise malware in
attachments. Attachments that end in .zip, .exe, .cmd, .vbs,
.pif, .scr, and .bat are particularly risky. But there have
been exploits that took advantage of formats like .pdf that
are generally safe.
* Consider using an email program other than Outlook, or
using a text-only program to check emails before opening
them in Outlook. Outlook limits your ability to see the
source code in emails, making it harder to evaluate whether
a particular email is safe. There are programs like MailwasherPro
that allow you to toggle between the source code and the
viewable email and make it obvious when dangerous links
are being disguised.
* Keep your computer's software programs up to date. You
need to update your antivirus and antimalware programs daily
due to the constant stream of new malware being created.
But vulnerabilities are often found in browsers and other
applications that interact with websites. You need to get
the patches before the bad guys develop malware to exploit
* Don't give access to your address book to any website.
I know that sites like Facebook, LInkedIn, Classmates.com,
etc. will ask, so they can search for your friends. They
shouldn't ask. It requires your password, which you should
never give to anyone.
* Make sure your home wireless network has encryption and
a strong password. And don't access any website or account
that requires a password from a public computer or an unsecured
wireless network. A computer in an internet cafe is likely
to be full of trojans from other people's surfing. And criminals
honest-to-god do sit in their cars in hotel parking lots
or on residential streets running "sniffer" programs
that collect other people's passwords. Accessing your email
account from a shared workplace computer is risky if you
don't know what everyone else's level of security awareness
* Choose very strong passwords. A criminal doesn't need
to make repeated guesses to find your password. They can
try the same password on many different people's accounts.
There are lists of commonly used passwords out there. You
should make sure your passwords aren't on any of those lists.
In general, a password should be very long. It should have
upper and lower case letters, numbers and special characters
in it. It should not be a dictionary word or a word with
a few numbers added at the end. Except for trivial websites,
you should use different passwords for each site. But ...
you have to be able to remember it without writing it down
anywhere. Think "passphrase" rather than "password."
Some people use passages of text that they have memorized
and use the first letters or last letters of each word in
the passage, inserting capital letters, numbers and special
characters in the middle as well.
The reports posted on the web by people who have
been affected mention their other accounts, like Facebook, also
being accessed. Once the scammers have access to the victim's computer,
they can do a considerable amount of snooping, and they can even
lay in wait before launching the email hijack, logging keystrokes
to collect passwords. The victim needs to clean the infection off
her computer, but she also needs to be ready for further attempts
at identity theft. All passwords saved in the browser or other programs
need to be changed, especially things like passwords to online banking.
She needs to contact one of the credit monitoring bureaus to put
a "fraud alert" on her account, as the person in England
probably has a fake passport with her information on it and can
use that to take out new credit cards. She should change her current
credit card account numbers if they are saved on her computer or
if she has saved them in her account profiles at merchants like
Amazon.com. It's a huge pain, but it's easier to deal with it immediately
rather than trying to get fraudulent items removed from her credit
history after someone has taken out a car loan in her name.
One more thing -- since the thief is using a Western
Union office in England, it's worth notifying the Metropolitan Police
at fraud.alert[at]met.police.uk. I wouldn't recommend contacting
these criminals using your real email account. (The reply listed
above is vague enough that they probably aren't keeping track of
which addresses they have or have not sent email to, anyway.) But
if you have replied, the second email, with the instructions for
sending the money, would be particularly useful.