A sad story of a Gmail account hijacking with an even sadder ending

First, Phoebe Lansdale lost her Gmail account. Then her friends started to lose money.

Hers is a sad story with an even sadder ending and an important warning for the rest of us: Never, ever give your password to a third party.

Lansdale realized something was wrong when she couldn’t access her Gmail account in late May.

“My password was blocked, despite various efforts,” she says.

A friend phoned me shortly to report that my entire email directory apparently had received an email at 4:24 am, supposedly from London, saying I’d rushed over to a seminar there without telling anyone, lost my wallet, and was in need of $1500 to pay my hotel and get home.

It asked for a transfer to me (Phoebe Lansdale) via Western Union at [address redacted] presumably being able to arrange for someone to forge my name to collect it.

I wrote about this scam in a recent column.

I went to Google LiveHelp which put me (for a fee) onto its technicians in New Delhi, where I spent most of 6-7 hours (telephonically and on my computer). The two successive Indian technicians seemed to have infinite patience in their efforts to reset just my password so we could get into my gmail account, but the Nigerian scammer (or whoever he is) did a thorough job. My entire old email directory is gone.

The Google-gmail technicians said they could not get my directory back. They asked me if I’d turned on Facebook recently (I had, very briefly the evening before), but they made no charges against it; however, the media is alleging that its security is not automatically tight.

The technicians also told me that once hackers get going, they continue on automatic pilot, by the thousands of scamming messages! By 4 pm, we abandoned the effort to reopen the account, and I now have a new gmail account.

Meanwhile, her friends began contacting her by the dozens. Apparently, the scammer are quite clever, and they used information from her email files to “authenticate” their request. For example, one acquaintance asked for details about another acquaintance, which was easily accessed through her old emails.

I am distressed to have caused such a flurry, and especially sad to have learned that one acquaintance who chooses to remain anonymous actually lost money by responding; I don’t know how much – only that an effort to cancel the transfer was too late: “It has been picked up.”

How awful.

A few days ago on this site, I suggested it might be OK to respond to these scammers. Perhaps not. If you get a London scam email, report it immediately.

(Photo: night 86 mare/Flickr Creative Commons)

  • Meredith Putvin

    No, not perhaps not, Definitely No. This is the results of such.

  • Ed

    Do we know exactly *HOW* the scammers got this person’s google login and password? I don’t understand how this can happen. I’ve had a Yahoo address since 1993 and never had a problem with it…a Google address since 2000 and an MSN address since 2003. On top of this, I have my own email server and a work email address. *NONE* of them have *EVER* been compromised.
    I read a saying that an internet security person had on his cubicle…
    “Passwords are like underwear. The longer the better, don’t share them with friends, don’t leave yours lying around, change them often and be mysterious ”
    Ed

  • The Good Doctor

    Acquiring someone’s password is quite easy. The easiest is when somebody “saves” their password to a public computer to save additional time when logging on. Another method is to capture it via a public wireless system. A third way is to use a public computer that has been infected with a Trojan worm that surrepticiously captures your log-in name and password whenever you use the machine. Having a complicated password does nothing to deter those methods – as soon as you type it, it’s theirs.

  • Meredith Putvin

    The Good Doctor fails to mention other methods including Password Crackers. Script Kiddies, as we called them, love to prove they can hack any system. In my case, I was the victim of someone looking to buy Virtual Goods.

    I fell victim to a Paypal hijacking about 3 years ago. I had Paypal for at least 3 years prior to that with no problems. The Problems came in when I changed my e-mail address to a free e-mail account. They managed to to harvest my e-mail address (Difficult because I tend to use names that are not in any baby name book) and cracked my Password.

    They then proceeded to make purchases at websites that sell “Virtual Gold” For World Of Warcraft (Blizzard Entertainment). The biggest reason I caught it so fast was that I monitor my e-mail constantly and I had done business with one of the sellers previously. The seller had a policy of verifying the transactions either via e-mail or phone. When I told him I did not authorize the purchase (Having shut down my WoW account close to 6 months prior), he reverse the transaction immediately. The other sellers were not so accommodating or pleasant.

    This also meant a call to Paypal to freeze my account (which they did immediately), a call to my bank to freeze my account, a visit to my Bank to shut down account and reopen a new one, and a Call to the police department (Major crimes handles this type of thing)… I also contacted World of Warcraft, but nothing was done there.

    I had a password that was 8 to 10 characters long alpha numeric. I had never had a problem up until I use a Yahoo E-mail account. I haven’t had a problem since. I did have to file an affidavit with Paypal, but once they had that documentation, they released my account within 10 days.

  • KMG

    Just be careful where you click, and keep an eye on what software you personally have on your computer as well. There was a problem with Adoble Flash (they’ve since cleaned it up, but it shows it can happen) that allowed a lot of log in information to be compromised at the time. They issued an update to deal with the problem, but its also best to have some sort of screening software on your computer which you can get at little or no cost, and just run regularly, or right after you leave a page you don’t feel good about. Ad-aware, Spybot Search and Destroy are a couple of good ones (donate to the creators if you like them!).