Last week I was home taking care of a few random work issues after dinner. I was wrapping up, and, as I usually do before I go to bed, logged into my hotmail account to clean up the daily deluge of email (I use my hotmail account primarily for non-work related mailing lists, so I get 20 or so messages a day that I pretty much delete without looking at).
Anyway, when I logged on, I had about 90 unread messages. About 2 seconds later, I saw that nearly all of them were from a popular online auction site, and I was being informed of auction status, inquiries from buyers, and even “auction ended” emails. Knowing that I haven’t logged on to any auction sites in nearly six months, I suspected something fishy (how could I not). I carefully logged on to the site (carefully == making sure I wasn’t redirected), and sure enough, my account was hosting a plethora of auctions for Mont Blanc pens and Shure SM58* microphones. I quickly changed my password, then not-so-quickly shut down all of the running auctions (not-so-quickly because it is impossible to end more than one auction at once). I then sent email to everyone who paid for something explaining what happened. Surprisingly, everyone was pretty good spirited about it.
I then (this is all in the space of about 30 minutes) sent email to the web sites security team describing the incident. They replied about five days later pretty much telling me just what I told them.
I’m still not certain how Mr. Zhang (see below) got my password, but I can eliminate phishing for two reasons: 1) I never click on links in email, and 2) I hadn’t logged on in 6 months even using the regular site. Other than conspiracy stories about inside jobs, that pretty much leaves password guessing. My password for the site was slightly strong by definition (capital and lower case including numbers), but definitely guessable (side note #1: I opened my account at this site in 1999 and never changed it – I don’t use passwords this weak anymore; side note #2, to be safe, I changed my password at my paypal site and I was dumbfounded to discover that paypal doesn’t allow spaces in passwords – haven’t they heard of pass phrases?)
Having a lot of interest in security, I thought I’d try to figure out what happened. The first thing I did was look at the auctions. They listed an email address (not mine), and also the note of where the paypal payment had gone to. I logged out of hotmail, and tried logging in under the email address listed on the auction using my old auction site password…success. Unfortunately, there were only a few emails either asking questions about the auction or “instant purchase” notifications. There wasn’t much else I could do (other than change the language from Chinese to English, but that didn’t really help me at all. I went to passport.com, logged on, and saw that a Mr. Li Zhang (no idea if it’s a real name) had established the account that morning. Just in case, I changed Mr. Zhang’s password to something “appropriate” and moved on to paypal.
Unfortunately LZ wasn’t dumb enough to use my password on his paypal account as well, so I tried 20 or 30 made up passwords. As I expected, I didn’t get access to his account, but what concerns me is that paypal doesn’t seem to mind repeated attempts to access an account. I figured the least I could do would be to lock him out of his account, but I couldn’t do it. I tried clicking the link to have the password sent, but it obviously went to another address.
Everything is back to normal with my accounts and email, but it did take several hours out of my time last week to put everything in order. I did hear back from one of the buyers though – and they were actually sent something (why LZ bothered, I don’t know). Apparently, the buyers received a very good knockoff of what they ordered – close enough that they would probably even get away with it for non-educated buyers. I guess the scam is that they go after accounts with good feedback scores that have been inactive for a long period of time.
* If you’re going to buy a vocal microphone, do yourself a favor and splurge the extra 30 bucks to get a Shure Beta 58A. It’s twice as good of a microphone for a nominal amount more (ymmv)