Your Money or Your E-mail
If someone broke into your free Web mail account, reset your password and issued a $100 ransom demand, would you pay up? The answer might depend on how careless you've been with your passwords, and how many e-commerce sites you have registered to that address.
New York resident Jesse Sklar, 32, found himself in just that predicament. The first signs of trouble started on Monday, when he tried unsuccessfully to log into his Hotmail inbox. He registered that account nearly a decade ago, and no longer had access to his "backup" e-mail account, which was the one he provided as the place to send future requests to reset his password. "It also asked me for the answer to some security question that I picked like 10 years ago but can't remember now."
Then, this morning, all of the friends on his Hotmail contacts lists -- even some he hadn't spoken to in years -- received an e-mail (apparently sent by him) with the simple question: "you want your email? yes or no?"
Annoyed, Sklar replied back: "Yes, I want my e-mail. Who are you?"
"100 $ via paypal," was the only reply.
Sklar realized he was in trouble. He had used both his Hotmail address and password to register at multiple sites, including Amazon.com, iTunes.com, and Ticketmaster.com. Thinking quickly, he registered for a Gmail.com account, then logged into each of the e-commerce accounts and changed the e-mail address for each.
Sklar says he has no intention of paying the ransom, and that he just wants the account shut down. Microsoft's support Web site says users can accomplish this simply by not logging into their Hotmail accounts for 30 days, which automatically suspends the mailbox. But what about the extortionist?
"It's not like I'm after this guy, I really just want my Hotmail account shut down," Sklar said. "I don't plan on using it anymore, but who knows about this guy?"
I think there are a couple of important takeaways from this story. One, do not use the same password for your e-mail address at other sites, even non-commercial Web sites. If you do, and that random site's database gets hacked, there is a decent chance the attackers may try your credentials at the login page of the free Web mail provider named in your e-mail address. Also, if you choose to register e-commerce sites to a free Webmail account, it might not be a bad idea to keep a master list of which sites you have registered to that account.
If you have trouble picking good passwords or remembering them, check out Password Safe, an excellent free software tool that "allows you to have a different password for all the different programs and Web sites that you deal with, without actually having to remember all those usernames and passwords."
Update, 5:04 p.m. ET: In a weird twist, it looks like the extortionist in this scam asked Sklar to send the donation via Paypalll.tk, a scam PayPal phishing site that currently resolves to "paypallll.ifrance.com". Neither anti-phishing filters in Firefox or Internet Explorer 7 detect this as a phishing Web site. So it looks like the perpetrators of this scam are actually after more than $100.
Update, Sept. 25, 2007, 11:19 a.m. ET: Sklar e-mailed me yesterday to say that Microsoft had helped him reset his password and regain control of his Hotmail account.
September 20, 2007; 4:24 PM ET
Categories: From the Bunker
Save & Share: Previous: TransUnion to Offer Credit Freeze In All U.S. States
Next: Is Cyber Crime Really the FBI's No. 3 Priority?
Posted by: jp | September 20, 2007 4:48 PM | Report abuse
Posted by: Jesse | September 20, 2007 4:53 PM | Report abuse
Posted by: King A | September 20, 2007 5:01 PM | Report abuse
Posted by: Colby Makowsky | September 20, 2007 5:20 PM | Report abuse
Posted by: DOUGman | September 20, 2007 9:53 PM | Report abuse
Posted by: Chris | September 21, 2007 10:32 AM | Report abuse
Posted by: Joe | September 21, 2007 12:49 PM | Report abuse
Posted by: Wojtek | September 24, 2007 7:29 AM | Report abuse
Posted by: umm.huh | September 24, 2007 1:38 PM | Report abuse
Posted by: Chuang Computer Tips | September 25, 2007 3:06 AM | Report abuse
Posted by: Simple Password | September 26, 2007 8:57 PM | Report abuse
Posted by: George | September 27, 2007 8:16 AM | Report abuse
Posted by: Matthew | September 27, 2007 9:43 AM | Report abuse
The comments to this entry are closed.