Webupon

In 2006 while I was on the internet, I received a message on MSN Messenger from a friend, telling me to go to this Hotmail hosting site to see her holiday photos. The message coming from a friend, I did not think twice about it. Although I was aware of email scams and was quite IT literate, I foolishly clicked on the link. It looked like the Hotmail login page, so I entered my email and password.

What happened next was a real awakening. I got to an empty page, so I assumed there was something wrong with the site. I clicked on another (already open) tab where I had my Hotmail account, and when I clicked on the Inbox, the page turned to the login page. I tried to login and I realised that my login details were not valid any more. I kept trying but to no avail.

While I was trying to login, my flatmate from next room shouted at me, saying “what is this stupid message you sent on MSN?”. Both being Greek, none of us talked to each other in English. But the hacker did.

The hacker got my password from the phishing page, he changed my password and security question on email, and he logged in at MSN trying to fool other people in my Contact List the way he did with me. I was shocked. He was live and contacting all my friends.

I started talking to him through my flatmate’s Messenger, and it became clear that the guy was doing that for a living. He was hijacking accounts and was asking back for money. You would think that a Hotmail account is a disposable account, and I can always make another, pretty similar to the one I lost. But it is not as simple as that. I was at the time looking for a new job, so I had given that email to numerous businesses and recruiters. Also foolishly I had kept in a folder emails of registrations to different websites, including PayPal and Ebay. Luckily I though about it fast and logged in to PayPal to change my password. The hacker tried a couple of minutes later, so he messaged me (at my flatmate’s Messenger) that “I was fast”.

My next fear was that of my friends. I was lucky I had kept a copy of my contacts, so I opened another Hotmail account and emailed everybody, warning them not to answer to my previous account. Unfortunately a couple of my friends got the message a bit to late.

The hacker started demanding $200 for releasing my account. So I decided I had to do something about it. I was a hostage to a stranger, my personal details and a lot of communication with businesses was in that account. I had to do something.

It occurred to me that my only way to deal with it was to start playing the hacker’s game, get his trust, and wait for him to make a mistake. To my surprise, this was the best thing I could have done.

I started talking to the guy. At the same time, a colleague of mine who received messages from him (but was already warned) chatted with him, and at the same time he was running Wireshark. For those who are not familiar with the name, Wireshark is a network protocol monitoring program. It is actually recording every packet of information that comes to, and leaves from a computer. It has the ability to detect where data is actually coming from. He determined that the hacker was in Turkey. More specifically he was in Antalya. Knowing this I started talking and negotiating.

A couple of days later, the hacker gave me a bank account to put the money in. As I continued to play his name, I told him that my bank requires his full name, an address of the branch the account was opened, and the name of the bank. To my surprise, the hacker sent that information to me. So I now knew his name, his bank account and his bank’s name. I also knew the city he was at the time.

Now I had to plan for my next step. I contacted Interpol and the Scotland Yard. I got replies from both, saying that I need to file a complaint with my local police authorities. After that, I tried to contact the bank in question and the Turkish police. The bank replied that they can not comment, but they would investigate the account.

I continued playing the hacker’s game. He chatted with me with my new MSN account, and at some point he agreed to turn on the cameras and see each other. What I did, was to take snapshots of the screen. Now I knew his name, his bank, his account and had pictures of him. My revenge was going to be sweet, and simple. And it would only cost me £8 !!!!

I registered a .COM domain name, that was like www.ozanxxxxxxxxxx.com (I decided not to put the guy’s full name here, let’s say his first name Ozan!) and I made a page with his photos, bank account details. Then I sent him an email from an email account like ozan@ozanxxxxxxxxxx.com The guy was shocked. It was his turn and I felt no remorse. He threatened he would hack my website, but by know I know he could not. All he could do was send phishing messages. A couple of days later, after a lot of swearing and threatening, he decided to return my hotmail account to me, and to one of my friends. I assumed control of my account and removed the webpage. However I kept the domain name on my hosting package for a year. Just in case!

The lessons I learned from my experience with this hacker, were simple, but I learned them well.

1. Do not follow links from people you do not know. If the links come from people you do know, make sure they actually sent them to you.
2. Do not give your login details to every site that asks for them
3. Do not keep sensitive information in your webmail account. Any login info of other sites (i.e. PayPal) print them, and keep them on a hard copy in your drawer.
4. Keep a copy of your contacts at all time. In all the major webmail services (Hotmail, Yahoo Mail, Gmail, etc.) there is an EXPORT function at your address book. Take a backup regularly. If your account is hacked, you have the means to warn all your contacts as soon as possible.
5. Change your passwords often
6. Always remember, if something looks dodgy … it probably is