Hacked Neff: Scammer steals Supe candidate's accounts

Former IBM exec Cynthia Neff has used computers since the 1980s and understands the importance of secure passwords. That's why it was particularly galling to discover a hacker had taken over her Gmail account and was trying to fleece her contacts with the old "London mugging" scam.

Worse, the scammer locked her out of her email, Facebook, and even a secondary Yahoo account.

"It's horrible," said Neff July 20, still able to communicate with old-fashioned telephone. She's running for the Rivanna District seat on the Albemarle Board of Supervisors and had based her campaign distribution list on her email contacts.

Neff's hundreds of contacts, including the Hook, received an email marked "urgent" that spun a fictitious tale of her being in London and her bag had been stolen along with passport and money. Could the recipient wire her some quick cash, which she'd repay when she got home, so she could get on the next available flight?

Although the scam is not new, Neff worried that some would fall for it. "Older people and relatives called to ask, 'Do you need money?'" she recounts. "A neighbor came by, worried about me, and said he'd called the British Embassy."

The nice thing, she says, was that she got 75 phone calls from people checking to see if she was okay. Not so nice: getting locked out of her accounts during her campaign to unseat Republican Ken Boyd.

The first thing experts advise is to change passwords, but Neff's hacker was way ahead of that and had already changed the password.

Then she discovered how difficult it is to regain control of her accounts, especially for Google and Facebook, which do not provide phone numbers to users. "They're very clear they don't do customer support," says Neff.

Google offers a form for users to fill out to determine ownership of the account, but it asks for information that Neff said she didn't remember, such as the date she opened her Gmail account. Google spokesman Jay Nancarrow urges that she keep trying.

"We allow a certain amount of tolerance," says Nancarrow. "Our system tries to set up a balance to let someone prove who they are." He notes that Google doesn't ask for a lot of information when people sign up for Gmail.

"It's a regular and ongoing problem for us," says Nancarrow, who advises users to include a phone number when setting up the account. Earlier this year, Google added a two-step verification process, sort of like what's used in signing onto a bank account.

And speaking of bank accounts, reusing the same password for social network or email accounts and bank accounts is a hacker's dream, say the experts.

Neff knew better than that, and had used different, difficult passwords for her accounts. "I just wish I knew how it happened," says Neff, who finally regained control of her accounts by July 21.

Detective Michael Wells with the Albemarle police has a few ideas.

"I've been a victim of that myself with Facebook," he says. Wells uses a device on his phone called a passdroid that manages and randomly generates passwords.

"Using public wifi is great, but it's very dangerous," says Wells. Another method for pilfering passwords is a keystroke logger, a program that can be surreptitiously installed to covertly record every tap on the keyboard.

"My best advice is to keep your antivirus up-to-date, be careful where you use wifi," he says. "Or get a Mac."

Wells advises letting local law enforcement know so they can follow the money should a victim wire funds. "If they pick it up at Walmart in North Dakota, we can find that." He also suggests reporting hacks and scams to the Internet Crime Complaint Center, ic3.gov, an FBI/National White Collar Crime Center partnership. "It's an international problem." he says.

And one for which the National White Collar Crime Center doesn't offer much hope. "There's not a lot that can be done," says spokesman John Everett. He suggests contacting local authorities in case there's a crime wave going through the region, and reporting the incident on ic3.gov.

And while the Internet Crime Complaint Center has no statistics on how often the stranded traveler scam is reported, says Everett, once it's put into action, it blossoms into multiple computer crimes: identity theft, theft, fraud, and credit card fraud.

Although Neff got her e-life back, she says her hacker is still pretending to be her, communicating with a fake email account using her name with an extra "f" in it. 

"It's really creepy," she says. "And it's really scary that people might fall for it. I'm afraid I'll never know unless someone tells me they sent money."

33 comments

"My best advice is to keep your antivirus up-to-date, be careful where you use wifi," he says. "Or get a Mac."

::sigh::

Thanks, Detective Wells, for perpetuating falsehoods about Macs versus PCs. Really helpful.

Tim, this is exactly what concerns me when you have cops investigating crimes on the Internet. They don't know as much as they think they do. And once in court and testifying, the judge or jury has no clue they have no idea what they are talking about. Not long ago the Albemarle police also had a cop searching hard drives that wasn't even remotely qualified to do so. And his findings were introduced as evidence.... until he was challenged and proven not to be qualified.

Here's the link to what I was speaking of above....

http://www.readthehook.com/79785/news-county-criticized-teens-parents-co...

"Thanks, Detective Wells, for perpetuating falsehoods about Macs versus PCs. Really helpful."

The internets do not lie!!!!

(Disclaimer:
Not responsible for the content of this post.)

""Using public wifi is great, but it's very dangerous," says Wells. Another method for pilfering passwords is a keystroke logger, a program that can be surreptitiously installed to covertly record every tap on the keyboard.

"My best advice is to keep your antivirus up-to-date, be careful where you use wifi," he says. "Or get a Mac.""

So if i have a Mac then i don't need to worry about viruses or using public wifi? The level of ignorance in that quote is astounding... Thanks for making helping to make the public safe detective.

Correct, Logan. You're less likely to be exploited or hacked on a Mac.....

...but ONLY because there are simply fewer viruses and attackers targeting the Mac.

One platform is just as safe as the other. To suggest or imply that the Mac is better or more secure than the PC isn't the first time a cop has given out erroneous information, and it won't be the last time.

I have used Macs since the 90's and have NEVER been hacked or had a single virus

Well thomask, obviously you know how to keep your system secure.

Combined with the fact there's not as many hackers targeting the Mac platforms. :)

GSOE: My problem is telling people on a Mac that they are safe and don't need to be cognoscente of that they are doing simply because they are on a Mac.

Thomask: I have used a PC since the 80 and have not had a problem either. I have also driven a Hyundai for a very long time and never been in an accident, nor have any Hyundai owners i know, but i wouldn't say that people who drive Hyundais don't need to worry about being in an accident.

Why don't the cops send money and track who retrieves it ?

Nancy: It is normally sent via western union or the like to another country. Even if the receiving countries had the resources to track these kind of crimes down they don't have the desire. In fact these kind of scams are a big part of many countries economies.

That is really infuriating. I'm glad she's gotten back control over her accounts.

Er, no—the detective is right. There are literally zero viruses for the Mac. Not one. No spyware, either.

There was a single case of malware released earlier this year—it was a program called "Mac Defender" that, for anybody foolish enough to install it, would try to send itself to other people. But it didn't actually do anything, IIRC. That's not a virus, though, because it cannot infect a system without taking an action. (And I don't think it's in the wild anymore.)

Put in social terms, I've been a Mac user for 14 years, and I know hundreds of other Mac users. Neither I nor anybody that I know uses anti-virus software (which, bizarrely, exists for the Mac—if you own a copy, allow me to sell you some UFO repellent), and I don't know a soul who has ever gotten a virus or spyware.

Ah yes, its "old cheating spouse" Neff - guess she didn't learn her lesson the first time - hopefully the people of the Rivanna district will remember her disgusting campaign ways and bid her good riddance before she can slime and demean someone else's character.

Waldo, can you explain the remarks of 32 experts in this field at the following link?

http://news.cnet.com/8301-27080_3-10444561-245.html

In particular, Avi Rubin, computer science professor at Johns Hopkins University says: "Right now the Mac is more secure than the PC, but only because the PC still has almost 90 percent of the market. The Mac is no more difficult to hack than the PC, but hackers get much more bang for their hacking buck attacking Windows. So, you're safer on a Mac...for now."

I think the discussion is going to get real confusing if we use specific terms like "hack", "malware", "spyware" and "virus" when discussing how secure a PC or Mac is. Macs are not compromised as much only because the majority of hackers choose to go after the PC platforms. But the Mac is still compromised more often than most Mac users like to admit. At best, the detective should have said the Mac affords a user a little more security than a PC. He should not say, ""My best advice is to keep your antivirus up-to-date, be careful where you use wifi, or get a Mac."

NancyDrew @sending bait money and tracking recipient: doesn't work when low level employees at these money-mail companies are in on the scam, which is often and maybe usually the case. Check? What check? Recently the Money-gram component of Walmart was forced to remit $18 millon because its employees in Canadian stores were cashing scammed US money-grams from a "Grandma I've been in an accident and I need $2000" scam (using a scratchy cell phone and enough computer-phished personal information so the grandma actually thought it was family member). A friend of mine got hustled this way. http://antifraudintl.org/showthread.php?t=29063

You don't need to hack a Mac to steal information broadcast unencrypted over WiFi. Also there are plenty of Adobe Flash and other exploits that are not as OS specific.

jmcnamera, would you consider an "exploit" and a "virus" to be the same thing?

I do. I always have. I just don't know who others feel about the terms.

Waldo: You can check out a list of viruses on OSX here: http://www.iantivirus.com/threats/

as GSOE has stated Macs don't get more viruses only because they are not more prevalent.

To illustrate this check out the Pwn2Own results:
2008: Fully patched OSX hacked in under 2 minutes
2009: Hacked in 4 different ways first one again in 5 seconds
2010: Again OSX is the first to be hacked
2011: To pull of the sweet OSX was hacked first again

Also as jmcnamera pointed out, no OS will protect you from sending unencrypted information out over wifi. No matter how you spin it, telling someone that they don't need to be vigilant just because they are on OSX, or any other OS for that matter, is irresponsible and doing them a great disservice.

Waldo, I would have expected more from you. You're a very bright guy. But in this case you're completely wrong. Your personal anecdotes and factless assertions do not further this discussion in any way. Logan's most recent post is spot-on.

GSOE, if you are as clueless as you admit to being on the subject, (see the comment "would you consider an "exploit" and a "virus" to be the same thing? I do. I always have.") then why did you feel it was necessary to insert your commentary regarding a matter you obviously know nothing about? (Other than habit...)

None of my Macs have ever been compromised in any way. That isn't because no one has any interest in hacking the Mac, which would immediately make the successful hacker a super star in the hacker community, it has more to do with the BSD Unix foundations of OS X that by nature are more secure. There is no lock that can't be broken and no OS that can't be compromised, but there is no denying that some of each are more secure than others.

http://www.techrepublic.com/blog/security/security-vs-popularity/4403
"It does not take much, in terms of market share percentage, for a piece of software to be popular enough to attack. For the most widely used types of software, a single percentage point can mean millions of deployments."

Irresponsible is the understatement of the decade. :)

To say "do so and so, or buy a Mac"..... leaves less than savvy computer users thinking a Mac is totally safe and secure.

"Mac Defender" is the most recent virus aimed at Macs. It has become such a threat that Apple is even acknowledging it's existence, something Apple rarely does as we all know.

Here's a story on it.....

http://www.sltrib.com/sltrib/entertainment/51832910-81/mac-click-virus-s...

cookieJar, how and why did you come to the conclusion that I am clueless on this topic?

Waldo is a very intelligent person, and he did indeed have me second guessing my own knowledge when he said Macs are secure and safe, no known viruses to date. A local doctor I know had her Mac compromised recently. Prior to that she thought she was invincible too because she had a Mac. God only knows what kind of information the hacker was able to pull off her machine.

Here's an e-mail I just received. It carries the name of a lady I had business with over 2 years ago. When I first started reading it, I was suppose to believe it was indeed the lady I knew. Some people would rush off and wire the money. Well, obviously, her computer and e-mails have been hacked. She does indeed visit the UK often, so the e-mail is suppose to appear authenic. More likely than not, the hacker now has my name and e-mail and will use them to solicit money from unsuspecting persons.

(I deleted her first name in the e-mail below)

--------------------------------------------

I'm writing this with tears in my eyes, my family and I came down here to North
Wales,Uk for a short vacation. unfortunately, we were mugged at the hotel park
where we stayed, all cash and credit card were stolen off us but luckily for us
we still have our passports with us.

We've been to the Embassy and the Police here but they're not responding to the
issue effectively and our flight leaves in few hours from now but we're having
problems settling the hotel bills and the hotel manager won't let us check out
until we settle the bills.Well all I need now is just $2,450 or anything you can
afford, You can have it wired to my name via any Western Union Outlet around
you. I'll have to show my passport as ID to pick it up here and i promise to pay
you back as soon as I get back home. Here is the info where you will wire the
money to:

Receiver name: XXXXX Thomas
Location: 21 Queen Street, Llandudno, North Wales, LL30 2LE, United Kingdom.
Amount: $2,450

As soon as it has been done, kindly get back to me with the confirmation number.
Let me know if you are heading to the Western Union outlet now.

XXXXX.

The windows/mac argument has been going on for years. It is really personal preference as each have their own faults and advantages. The same goes for browsers which are usually the point of entry.

To be compromised does not always mean you have a virus or malware. Unless the breach is software/hardware malicious the user will never know anyone has been there or has been sniffing the air. The wep security used by most wireless networks can be cracked within 60 seconds with tools easily obtained from the internet and can crack/detect hidden wireless networks as well.

A recent story described how one guy infiltrated his neighbors network and framed him by downloading kiddie porn and sending the vp of the US a death threat all while sitting in his living room. The neighbor had no idea someone was even attached.

Be careful my friends. The digital world is not a nice place to play.

@ Gasbag Self Ordained Expert , your cluelessness clued me in to your cluelessness.

"I think the discussion is going to get real confusing if we use specific terms like "hack", "malware", "spyware" and "virus" when discussing how secure a PC or Mac is. Macs are not compromised as much only because the majority of hackers choose to go after the PC platforms. "

Virtually any conversation becomes more confusing when commonly accepted uses of words are ignored in favor of random assignments of meaning according to the whims of one or more participants. Your statement is like saying that a conversation regarding the safety of walking in any given area after dark would be confusing if we used specific terms like "robbery," "beating," "abduction," or "drug dealing" and said that someone with no money would be safe anyway because most criminals only care about people carrying money.

"jmcnamera, would you consider an "exploit" and a "virus" to be the same thing?

I do. I always have. I just don't know who others feel about the terms."

Wikipedia has its flaws, but when you have no idea of what you're talking about, it can serve as sort of a "complete idiot's guide" to the basics. Note that Mac Defender isn't self propagating.

http://en.wikipedia.org/wiki/Mac_Defender
"Mac Defender (also known as Mac Protector, Mac Security[1], Mac Guard[2], and Mac Shield[3] ) is an internet Trojan horse masquerading as an anti-virus program that can be installed by unwitting users of computers running the Mac OS X operating system. First media reports of the software surfaced early in May 2011 (the 2nd) with a patch not being provided by Apple until the 31st of May.[4] The software has been described as the first major malware threat to the Macintosh platform (although it does not attach to or damage any part of OS X).[5][6][7][8][9] However, it is not the first Mac-specific Trojan, and is not self-propagating."

OK, let's go with that! Let's assume I have said, "Someone with no money would be safe walking around adter dark because most criminals only care about people carrying money."

Isn't this similar to my saying, "My best advice is to keep your antivirus up-to-date, be careful where you use wifi, or get a Mac."

The first statement clearly implies "Don't carry money after dark while walking."

The second statement clearly implies "a Mac is safe, no need to worry about keeping your virus definitions up to date or exercising caution when using wifi."

This is really the only thing I object to in the original story above. The detective has pretty much portrayed himself as a computer expert, and he issued erroneous information while doing so. Perhaps he should have read Wiki's "complete idiot's guide" before issuing such a statement about computer security. The last so called computer expert offered up by the county police was shot down rather quickly. He wasn't even certified in the duties he was performing. And his testimony, which he was not certified to offer, caused a kid to sit in jail for 60 days.

Let me refresh your memory if you don't recall what I am speaking of in the reply above this one. This is a direct quote from The Hook I posted at the beginning of this thread:

-------------------------------------------

In court, Jenkins maintained that the 13-year-old was not a suspect until after the family voluntarily brought in its computer and Detective Gary Pistulka told her it had been tampered with.

That's another sore point for the family. "[The boy] was detained for 60 days because Detective Pistulka said the computer was tampered with," says Heilberg. "You didn't hear about that in court."

Pistulka testified that as an investigator he does interviews and executes search warrants. He also takes possession of computers, performs analysis using software in which he's not certified, and writes reports.

"I think it's inexcusable," says the boy's father, "that in the county, one, the only person who does computer forensics is not certified, and two-- even more inexcusable-- there's no one to check his work."

To the father, that demonstrates "no proper chain of custody with Pistulka handling evidence that will affect the case."

Jenkins and Pistulka did not return phone calls from the Hook by press time.

@GSOE

"OK, let's go with that! Let's assume I have said, "Someone with no money would be safe walking around adter dark because most criminals only care about people carrying money."

Isn't this similar to my saying, "My best advice is to keep your antivirus up-to-date, be careful where you use wifi, or get a Mac.""

Is English your second language?

Give it up gas. For now Macheads have the high ground when it comes to the virus debate.
We all know real geeks use linux and unix to run the world.

macs are good for beginners and for people who don;t care how things work. u just have to know how to turn it on and click the mouse. most people who use the macs do some type of design work or use it for programming.

I wouldn't disagree with the idea that a Mac user has a lower probability of getting a virus/Trojan/etc simply because there are less out there. I take exception to the idea that once you have a Mac you don't need to worry your self with security at all. Unfortunately it is a widely held belief and it doesn't help when someone who is in a perceived expert perpetuates such a stupid stance. Most viruses rely on naive users that runs a program they shouldn't and the idea that Macs are invulnerable perpetuates the problem. The other viruses get installed is through different exploits, and my previous post showed that OSX is not free of those either. There are not more Mac viruses simply because they have not been made, no other reason.

No matter how secure the OS is, web traffic, including login details and active session cookies can be pulled from wireless data. This would include Macs and IPhones.

macdaddy: In my experience the only reason people develop on Macs is because they have no other choice (IPhone dev). If fact,I would say Dev tools are the area that MS has the largest lead over Mac.

Cynthia Neff also appears on the locally-produced Charlottesville politics interview program Politics Matters with host Jan Paynter: http://bit.ly/polmatters. The interview can be found in the Program Library.