Real Life Internet Evil

Our purpose with this series is to use real life examples of deception, fraud and other evil to show how you can better protect yourself. The examples cited in these articles are intended to demonstrate best practices and recommendations.

I've been with my web host for over a year now. The host (addr.com) has provided extremely good service, high speed access and reasonable stability - all for a very good monthly fee. On those occasions where I had to contact their customer service department, I was very happy with the results.

Thus I was surprised to find an email in my inbox with some distressing news. The email began with the following lines.

We are emailing to alert you to an MSNBC article:
"Hacker claims theft of 46,000 ADDR.com client records"

This was followed by a reference to the MSNBC article. I checked the referenced article and yes, it appeared that my host's database was stolen by a hacker. According to the report, the information stolen included passwords and credit card numbers.

A brief overview of the article: "A computer criminal claims to have stolen personal information on 46,000 customers from Web hosting company ADDR.com. The data includes account names and passwords that could be used to alter Web site content, as well as credit card information."

ADDR has chosen not to alert clients about this threat to their credit card details and has refused to make any public comment on the matter.

The email finished with with a curious note (spelling errors and all).

We are an indpendent web host, unrelated to ADDR, and would like to offer you an alternative to your current hosting. All our client details are kept 100% secure, and encrypted. We are making a special offer of waiving all setup fees (normally $50) for clients moving from ADDR over the next week. You can get all the features of your ADDR account, plus many more, for just $6.95/month.

This is a very curious way to run a business - spread rumors about the competition in an effort to get you to switch to their service. I was not happy with these tactics, but decided to take the reports seriously.

What I did was simple - I contacted my credit card company and reported the card I used for my web site as stolen. This caused a new card to be issued to me and completely protected me from any evildoers.  I followed this with a visit to my web site, where I quickly changed the password. Total time spent so far: less than ten minutes.

Now that I was protected, I called addr.com's customer support line and received the same excellent service that I've gotten all along. The representative assured me that they were aware of the problem and offered additional information. I was very happy with their response to my questions and their handling of the whole affair.

Okay, needless to say I did not switch to the other provider. Why not? Well, first of all, databases get hacked occasionally. That happens in the real world and the way to handle it is to do exactly what I did - report the card as stolen, make sure your passwords are changed and get the real information from the source (not some third party with an agenda to get me to switch to their service). No need to panic.

A couple of days later I received a notice from addr.com with the real information. This was a very, very interesting email.

As you already know, a hacker may have obtained information about some of our customers, in spite of our extensive state of the art security and encryption of all data. We have had security experts reviewing the alleged hacking and have been working closely with the FBI, and with Visa and Master Card in connection with this matter. According to the information gathered during this investigation, the only records that could have been attained are an old back-up of part of our customer database, which is over a few months old. If you haven't already done so, you may wish to contact your credit card company personally. ADDR.com is committed to continuing to provide our customers with the highest quality, most secure web hosting possible and we intend to pursue the maintenance of our security to the fullest extent possible, in spite of an industry in which hacking is becoming more and more prevalent.

In addition, if you received an email from ExpertHosting.com, please accept our apologies and disregard the email. ExpertHosting.com is a fictitious company that spams all major web hosting companies in an effort to obtain the credit card numbers of their customers. ExpertHosting has been issued a cease and desist order from our lawyers and should they attempt to contact any more of our customers, further legal action against them will take place.

I did not expect that information - wow. This was very interesting and it is useful to stop for a minute and think about the implications.

Assuming the allegation is true, this is a hacker technique known as social engineering. The idea is to gain your trust to get you to give up some information - in this case, credit card numbers.  The email sounds official and cites an article by a well known news site. The link to the hosting company does indeed bring up a real site which looks very official and resembles in every way a valid hosting company.

Now, I rejected the offer to move to a new host because I do not like this manner of doing business. I had no idea that this was a scam - I just believe that it is entirely unethical to take advantage of a competitors misfortune in this manner. To make an analogy, if you own a grocery store and the store across the street is on fire, you don't put up a sign saying, hey, your store is better because it's not on fire.

I would never do business with any organization which acted in this manner. At this point, it does not matter to me whether the report that ExportHosting is allegedly fictitious is true or not - their method of doing business is, in my humble opinion, unethical.

What else can we learn from this?

• You never know the true source of an email message that you receive. Just because an email says it is from "Joe" does not mean it is from "Joe". This same lesson can be applied to anonymous callers and visits from the gas company meter readers - make sure the person you are communicating with has the appropriate credentials.

• Just because a web site looks official and "feels" like it's real, does not mean it is real. Any good webmaster can quickly put up a fake site which looks very good.

• Don't depend upon the URL to tell you the site is valid. URL's can be hijacked (hmmm, I feel another article coming on) or just made to look valid. For example, someone could conceivably purchase "aolsupport.com" and set up a fake support site for AOL. The fact that the URL includes the letters AOL does not make it a real AOL support site.

• Don't ever use your debit card for web purchases. When a fraudulent purchase is made to a credit card, you are fighting with the banks money. With a debit card, you are fighting with your money.

• Use a credit card with a small dollar limit to make web purchase. I like to use one with a $250 credit limit. At the end of the month, I either pay it off or transfer the balance manually to another card. This makes my maximum exposure at any one time to $250. Better yet, if the card number is stolen, the criminal can not get to my larger credit limits on other cards.

• Use the web search sites to help you make decisions. In this case, a quick search on Google for "experthosting" reported several documents warning about possible scams. Nothing concrete, just enough to ring some alarm bells.

• Keep your site secure by changing the passwords occasionally, using difficult passwords and not using the same usernames and passwords on all of your accounts all over the internet.

• Always keep a good backup of your site. If the host really was hacked and your site was destroyed or modified, you can recover if you have a backup. If not, well, next time you will know better.

Finally, don't panic and make quick decisions based upon incomplete data. Spend a few minutes to think through what's going on and come up with a rational handling.  In this scenario, the credit card numbers were stolen several days or weeks before - a few extra minutes or hours to think through the decision will not materially increase the risk.

Themestream Comments

Great advice in here. I had 2 experiences with false charges on internet so far - both times they bought domain names, both times, charges were taken off. - Valerie Smith 

Richard, Valuable information here. Thanks much. Your articles are informative, interesting and well written. I'm starting to depend on you for all my web tips. I guess that makes you my web guru. :-) - Amanda Wilkes Roa