I wasn’t going to write this piece. However, I saw this tweet on Tuesday:
Hearing more and more about individuals involved in cryptocurrency having indications of cyberattacks directed at them multiples times/year.
Numbers ported out, spoofed SMS, targeted phishing emails, coordinated/timed events.
— Jackie 🤦🏽♀️ (@find_evil) July 10, 2018
I just became one of those people. Here’s how I was cyberattacked.
This past Thursday night. I started getting a series of emails.
First it was from Google. A Gmail account I use for a site that I run had a login. At 10:13 p.m., “Your Google Account was just signed in to from a new Motorola Moto E (4) device. You’re getting this email to make sure it was you,” the email said. It certainly wasn’t me.
Then my Yahoo account was hit. Though I worked for them for a couple of years (employees had a different domain than @yahoo.com), I don’t think I logged into it for months.
“Your Yahoo account [username]@yahoo.com was just used to sign in to Yahoo using your mobile number on file. If you did this, you’re all set. If not, please use this link to review your mobile number on file,” said an email at 10:16 p.m.
There was a login from Independence, Kansas. I’ve never been to Kansas.
At 10:18 p.m., my dormant Gmail account was attacked, also from a Motorola Moto E (4). Four minutes later, that account was logged into again.
At 10:28 p.m., Microsoft emailed me to say that someone changed the password on my account. To this day, I don’t recall having a Microsoft account.
My cell phone number was the security info that was used, according to the email. That number is fairly public. It rarely rings, except due to robocallers. And when I receive those, I do various voices, make up stories, and jerk around the scammer at the other end of the line. The way I look at it, you used to have to go out of your way to make phony phone calls. Now phony phone calls call you.
Anyway, there were a few other clues, according to the email:
Country/region: United States
IP address: 18.104.22.168
That IP address is in Dallas, TX, according to IPLocation.net. I’ve never been to Dallas, either.
A minute later, the hacker(s) setup a Microsoft OneDrive account. My assumption is they were using it take my files. I recently went into that account. It’s empty.
Within a few seconds, I got an email from that dormant Gmail account. “hi,” it simply read. Was a hacker testing the email or taunting me?
The first non-email/storage account I got an email from was Coinbase. “You recently requested to reset your Coinbase account password,” I was told at 10:32 p.m.
Unfortunately for the person who thought they’d get rich, that account has a total of $0.18 in it.
Three minutes later, my Twitter account was taken from a Windows computer using Chrome, allegedly in Dallas, Texas. I have (or, rather, had) a verified account. I bet it worth a lot more to someone trying to spread fake news about crypto.
At 10:40 p.m., the hacker changed my Coinbase password. A minute later, Unroll.Me emailed to say they’ve been mysteriously unrolled from my account.
Three minutes after that, Dropbox dropped a line to tell me, “Your Dropbox account password was recently reset.”
I had a Dropbox account?
At 10:48 p.m., Twitter emailed me again, “If you requested a password reset for @[username], click the button below. If you didn’t make this request, ignore this email.”
This was followed up a minute later by something particularly brutal: My personal domain was taken over at GoDaddy. As I later found out, someone called them and impersonated me. They then changed my DNS information. That means they may have sent and received emails from my account (such as, say, requests to change passwords elsewhere).
Five minutes later, another email from Dropbox said my password was changed again.
It was now 11:07 p.m., nearly an hour after the hacker(s) first started going after me. I received another email from Twitter:
“To confirm this new email for @[username], follow the link sent to ye****@3********.****. If you did not make this change, please contact Twitter Support immediately.”
A minute later, another “hi” from the Gmail account.
All this happened when I was asleep. When I got up at 4:30 a.m. the next morning, I found myself having to run through all these emails and change back my passwords.
At some point, I realized my texts weren’t working, either. Nor were my calls. I have no idea how that happened.
I also had to call GoDaddy to get into my account. I then saw the hell and havoc they committed to my DNS information. I should have screenshot it. Luckily, as GoDaddy told me later, that info was saved. The call made by the hackers was recorded. Who knows if anything will come of it? After I fixed my DNS info, my texts started coming in again.
Twitter has yet to return my account to me. They don’t have a customer service number. They aren’t the most responsive company. Responsibility just isn’t their bag. Google also won’t give me back my dormant account. Requests go unanswered.
Given that the hacker(s) went after my Coinbase account almost immediately after breaking in, it appears these were crypto thieves.
Maybe they should have read the disclaimer at the bottom of each of my articles to find out I don’t own any. Sadly for other people who may have been targeted, that may not be the case.