Now it’s getting personal. A criminal trying to turn stolen personal data into cash has apparently seized on a new, low-tech method — direct threats. A California teacher who had her identity stolen in early December managed to foil most of the bank account transfers attempted by the thief. So the criminal turned to personal extortion instead, saying he would leave her alone if she paid $400. When she ignored the demand, the threats escalated: “I’m very angry,” he wrote. “Now, you have one big trouble - me! I’ll hack all your passwords, all your accounts! I’ll spend all your money!”
“Do you think I know nothing about you?” the criminal went on in the rambling note. “Ha-ha! I know your address and now you can’t be sure I’m watching for you.”
The thief had already seized control of her PayPal and BidPay accounts. He broke into her Yahoo e-mail account, too, and even had rifled through her recent transactions at Amazon.com, and all her auction activity at eBay.com. The teacher used the similar passwords for all her accounts, so once the criminal managed to crack one account, he cracked them all.
With not-so-veiled threat, he told her to “send my best regards” to her family members, which he listed by name. “P.S. How is the weather in California.”
It all started Dec. 8 when the teacher — who asked that her name be withheld for this story — received an e-mail from PayPal confirming transmission of $65 to pay for a stun gun won in an auction.
“I was pretty sure my kids wouldn’t do that, I don’t allow guns in the house,” she said. “I got this feeling in my stomach.”
That Sunday night, Dec. 8., she scrambled to freeze her online payment accounts, assuming someone might be trying to steal her money at PayPal and BidPay.
Two days later, she got an e-mail from a jewel dealer saying he had rejected a $691 payment for a diamond ring. The jeweler was clever enough to spot the transaction as suspicious.
But the normal e-mail notification for the purchase never arrived from PayPal — or more accurately, the teacher never saw it — because the criminal was now carefully deleting all suspicious e-mail from her Yahoo account. He also deleted notice of a $200 PayPal payment sent to someone in Montreal, Canada.
Soon after, a $390 transfer was initiated from the teacher’s BidPay account, allegedly for a tiny baby rattle. BidPay automatically rejected that payment, and the teacher’s quick action stopped the others, leaving the criminal with nothing to show for his work.
That’s when he turned to threats.
“Why do I write this letter? Hmmm.... I tried to transfer 300 USD, you know it now. The reason is I have problems now. And hacking is the only thing I know. ... I want to ask you to transfer me 400 USD. I don’t think that’s a big sum of money for you (as I see you buy something in Internet practically every day). For example, my parents get about 200 USD each a month. For America it’s very small. .. If you send me this money, I’ll tell you how did I get your passwords. This way, you won’t be hacked any more!!! I’ll give you lots of advices to protect yourself from hackers.”
The woman ignored the first letter, which raised the ire of her stalker.
“I’m angry. You won’t to talk to me!!! Why? ... You did not a clever thing! Now, better get out of Internet or I’ll catch you and hack.”
At this point, the victim had managed to secure her PayPal account and changed all her passwords, so against the advice of her children, she wrote back to her stalker.
“I’m a 53 year old fat lady who teaches 2nd grade. Did you notice that I mostly buy dishes and small trinkets like old doll parts. I buy fat lady clothes on eBay,” she said. “If your picture of adventure is old fat grandmas, then you should be very happy this week.”
He has yet to respond, and the victim is hopeful the hacker has moved on to other things.
But the incident concerns online auction consumer advocate Rosalinda Baldwin, who sees it as an escalation of the kinds of tactics hackers might use to turn computer crime into cash.
“This one hit me in the gut .... He really did have enough information about her to make some chilling comments,” said Baldwin, who runs TheAuctionGuild.com. “The part that really gave me heebie jeebies all was that personal information he had, and that he was dropping those little hints, like how’s the weather in California. He’s saying you’re totally vulnerable, I can come get you again.”
Jayne Hitchcock, president of the Working to Halt Online Abuse organization, said it’s highly usual for a complete stranger to make these kinds of threats. They more commonly come from someone who at one time had a relationship with the victim — and thus, easy access to information like account passwords.
But extortion threats, which until now were normally reserved for hackers trying to wring money out of companies that had suffered security lapses, raise the stakes quite a bit for the criminal, Baldwin says.
“Once you connect with somebody directly, once you ask them to send you money, that really increases law enforcement’s ability to set up some kind of a sting operation,” she said. “It could be the criminal was too stupid to be afraid ... or feels they know law enforcement so well and thinks they wouldn’t get involved, so they weren’t afraid.”
Both Baldwin and Hitchcock urged anyone who feels threatened online to contact law enforcement and file a report. The victim initially told MSNBC.com she probably wouldn’t bother because her case was small and law enforcement officers are “too busy to care.”
But Hitchcock said most states now have cyberstalking laws in place, and law enforcement officials are much more likely to act on reports of physical or emotional threats than run-of-the-mill Internet auction crime reports. And Baldwin said filing reports is always important, even if there’s no instant action by police.
“Maybe these agencies are not going act on this one case but what if it’s the 50th or 5,000th? We’re not in a position to know that. So I always tell people report it.”
Aberration or new trend?
But the big question for Baldwin is whether or not the teacher’s case is an aberration, or represents a new method computer criminals are using the profit from criminal computer activity.
“This might be something only this kid thought of, maybe he reads too many mystery novels,” she said. “But if one person is thinking of it how many more are? And if one person who did it and he’s rank amateur, what happens when people who are not amateurs try it?”
Meanwhile, the teacher is still out about $1,000 — PayPal funds connected to the three fraudulent transactions. PayPal normally freezes accounts while it investigates incidents of fraud. While she expects that money to be returned after some paperwork is finished, cleaning up her ID theft issues will take considerably longer. She is already getting angry e-mails from sellers who are asking why she stopped payment on auctions she allegedly won. Some items she had shipped for Christmas didn’t arrive on time because she had to stop payment and cancel various credit cards.
And she’s now wondering how she’ll continue buying and selling online.
“I’m certainly not going to give these Web sites my credit card any more,” she said.