A Cure Worse than the Disease?

I was phoned by our PR manager, Funda, to help out with a PR opportunity with Channel 4 News, one of the 3 big national UK broadcasters. A lady living near Birmingham in the English midlands had been caught up in a scam related to her hacked Yahoo account. I was invited to come along to her house where the television crew would interview the lady about her experiences, and me, for the Trend Micro expert view.

So, I turned up at an immaculate house in an affluent village close to Birmingham, to meet the film crew and Debbie (I’ve changed the lady’s name) the victim of the scam.

Channel 4 News had previously televised an article about Yahoo email hacking, where some attackers had used automated password cracking tools to compromise many Yahoo Mail accounts, including my own mother’s, and then sent spam to the users’ contacts. This was Debbie’s first problem, but what happened afterwards was what Channel 4 thought was newsworthy.

Her Yahoo mail had been compromised

Debbie didn’t know what to do when she realised her Yahoo mail had been compromised, she was getting lots of strange replies, automated ones from expired email accounts, and surprised responses from friends and family asking “Why are you sending me this stuff?”

So Debbie did what many of us would do when faced with a problem to which we didn’t know the answer, she did a Google search for “Yahoo Email Hack Support.” Debbie found a reputable looking firm, with a UK telephone number and domain name, and gave them a call.

A more expensive problem

Debbie’s more expensive problem began with this call. Her call was routed to a call centre somewhere outside of the UK and the person she spoke to managed to scare her enough about what had happened to her computer, that she parted with over £200. The man on the other end of her line asked for her email address, and with this information only, was able to assure her, that yes, her email account was vulnerable and her PC had been compromised.

The support company managed to hard-sell Debbie a 4 year support contract, when all she wanted was some help with her email. For her £200 she was supplied a (free-of-charge) antivirus program and advised to run this to clean her machine. No one asked her if she already had security software installed on her machine, which she did. So Debbie ran the AV, found nothing, and became more than a little disgruntled, then contacted Channel 4 news.

This is a scam

I used Trend Micro Housecall and could find no evidence of any malware installed on her machine. Katie, the reporter, wasn’t convinced that she could justifiably call this a scam. She argued that the support company could reasonably say that £200 for 4 years PC support was acceptable, never mind that that wasn’t what Debbie was hoping to purchase went she went looking for help.

So, while being filmed, Katie rang the support company, and told them that she thought that her email account had been hacked. The same routine ensued, the operative asked for Katie’s email address, and with no further detail was able to pronounce Katie’s account hacked. Katie turned to me, and asked if they could tell this from the information she had given them, feeling a little under pressure with the camera pointing at me, I said, no, that I couldn’t think of any way that they could possibly determine this with only your email address. Katie hung up, saying she would think about their offer, and I thought great, we’ve proved this is a scam.

They continued the interview with me asking what Debbie should have done in the first place, so I mentioned:

First of all, a strong password is important to stop your account being compromised in the first place. Find a phrase and use the first letter of each word in the phrase to create your password.

If you do think your account has been hacked use the genuine, in this case Yahoo, website and follow their procedures for securing your account.

Or phone the support team at your security software provider, such as Trend Micro, where you’ll get helpful advice to put things straight.

In the end, the piece was never broadcast. What Katie did, by phoning the support company, amounted to secret filming, which required legal approval, before the event, so the article couldn’t be shown. For me it was an insight into how these dreadful companies exploit vulnerable computer users to make a quick buck. I don’t think Debbie will ever get her money back, but at least sharing our experiences here, may help other computer users avoid this trap.

I work for Trend Micro and the opinions expressed here are my own.