At the end of March, local business owner Linda W. Fitzgerald discovered that her website had been hacked and that scammers had stolen her company’s identity. This diary is based on a blog she posted as the fraud unfolded.
Days One & Two: I used to think that the phrase “cold sweat” was just an expression. But I was wrong, as I discovered yesterday when I sat at my desk, reading an email that a media buyer had forwarded to me. It was supposedly from someone who wanted to purchase advertising on her company’s website.
The cold sweat started when I read the signature at the bottom:
450 S. Main Street
Ann Arbor, Michigan
www. fitzgeraldcommunications. net
It was my company’s name. My company’s street address. And what looked like my website.
But my real web address ends in .com, not .net. We create ads but don’t buy space to place them. And no one named “Anna Miller” has ever worked here.
I clicked on the link in the email. The phony website was identical to my own. I’d been hijacked.
Within half an hour, my web developer, Wayne Eaker, tracked the phony site to a web host in Russia. Fifteen minutes more, and he had posted an alert on every page of my website, warning that “Anna’s” email was a scam. Now I just have to pray that whoever gets the email checks the website before they bite.
Day Three: “What fresh hell is this?”
That wonderful quote from Dorothy Parker runs through my mind as I dial the number for the FBI’s Detroit field office. They refer me to the Secret Service, who try to refer me back to the FBI. I end up making a report online at the Internet Crime Complaint Center (www.ic3.gov). And the Federal Trade Commission opens a file on my case after I enter a report on its website www.cybercrime.gov.
Over the years, I’ve started workdays in lots of different ways. But never have I started a day wondering how many people would be targeted by someone using my name to create little bits of hell.
Day Four: You meet the nicest people when you’re being hacked.
No, I’m not referring to those soulless sociopaths perpetrating the scam. All I know about them is that the domain name was purchased from a Chinese registrar, that they host their site in Russia, and that media buyers who have spoken to “Anna Miller” say she speaks with a Russian accent.
I’m talking about friends who have been abundantly kind and concerned. About colleagues and clients who have cut me slack on project deadlines while I try to understand what’s going on and warn potential victims. And about the media buyers who got “Anna Miller’s” email and took the trouble to make sure they were dealing with the real Fitzgerald Communications.
One of those buyers–Barb Rogers of Toronto-based Casale Media–sent me links to news stories explaining how the scam works.
If buyers respond to the phony emails, the hackers place “ads” on their websites. These look legitimate but secretly deliver “malware” that takes control of readers’ computers. Sites ranging from gizmodo.com to the New York Times have been victimized. The scammers are paid for every machine they infect.
Days Five & Six: “Your situation is excruciatingly common,” the Secret Service agent told me.
Because big companies tend to be well defended, he explained, foreign hackers are focusing on small to midsized firms–auto dealerships, independent restaurants, storefront retailers, marketing firms.
He asked if the hackers had defrauded me of any money.
No, I told him. They just stole my good name. And my ability to sleep at night.
Yes, of course, there’s that, he agreed.
But, he explained with weary patience, American law enforcement cannot prosecute attempts to defraud. It generally takes a “spectacularly large-scale” success–typically, one involving $500,000 or more–to even trigger a formal investigation. And the governments of Russia and China are completely uninterested in investigating, let alone prosecuting, their hackers’ activities.
But, he said, “if you keep frustrating them, if it’s clear their scam isn’t working, they’ll give up pretty quickly.”
You mean they’ll give up on me, I said. And move on to the next mark.
“That’s right. They’ll find someone else.”
I’d say that qualifies as cold comfort.
Day Seven: It’s Easter Sunday, and after the sunshine and cantatas and alleluias, the last thing I want is to pore over Google Analytics. But it’s one of the few windows I have on the scammers’ progress.
When I finally log on, I discover that someone in Karachi, Pakistan, spent more than twenty minutes on the legitimate Fitzgerald Communications site yesterday. As did someone in an unspecified location in India, and someone else in Moscow.
Why does all of this give me such a bad feeling?
Days Eight & Nine: Good news: there were less than a dozen out-of-state hits on the legitimate Fitzgerald Communications website yesterday. Most of them were from California, which I suppose makes sense, since the scammers are touting California Almonds as one of their major clients.
Day Ten: The Secret Service agent urged me to report the hack to my local police department. As I approach the AAPD reception desk in City Hall, the plainclothes cop on duty eyes my business-girl outfit, notebook, and hefty manila file.
“How can I help you?” His voice is as wary as his eyes.
I take a deep breath and begin my sad tale.
His pale eyes grow wide as he listens and shakes his head.
“Have you lost any money to these people? Have they stolen from you?”
No, I tell him, then reach for the same answer I gave the Secret Service agent days earlier: “What they’ve stolen is my name, my business, my identity, and quite possibly my professional reputation.” My voice shakes slightly.
He and I agree that the Secret Service might have been misguided in directing me to my local police station. As he points out, this really belongs in the realm of national security, cyber crimes division.
“Sorry,” he says, handing me back my ID. “But if there’s anything else we can do…”
Day Eleven: Just before I learned I’d been hacked, a media planner by the name of Matt left a phone message for me. It was so brief and so obscure I assumed it was a cold call and ignored it.
It wasn’t until yesterday, when I was playing back the messages that had accumulated over the past week and a half, that I stumbled on Matt again. And this time, of course, his words had a completely different meaning.
“Hi, Linda, just wanted to speak with you quickly before we get everything rolling. Give me a call at your convenience.”
Get everything rolling? As in–oh no–ad placements for the phony “Fitzgerald Communications”?
I called Matt immediately. Turns out he had been targeted in a similar scam last fall, so he’d been on high alert since then. This despite the fact that his firm actually got $10,000 in upfront money from the scammers. Hmmm…so it wasn’t quite the perfect fraud after all.
And, no, he hadn’t bitten. Matt was one who got away.
Epilogue: The panicky phone calls from media buyers have stopped. There are relatively few out-of-state hits on my website.
In a weird way, I suppose I should be grateful for my rough global education.
Life on the World Wide Web is not all sweet. Universal access to information is not necessarily free. It can cost you your identity and your reputation. Or at the very least, your time, energy, and money as you work to undo the damage.