Thursday, January 16, 2014

Hacking Teen Sneaks and Questioning Google's Wisdom.

A few weeks ago, I started noticing weird messages in my inbox. First, there was a series of messages in french, which appeared to be coming from facebook. I don't speak french, and didn't feel motivated to do anything about it at the time. I just assumed it was a phishing scam. and ignored it. Then a few days ago, I started getting emails from meetme.com about admirers, and chat responses, and acceptances of friend requests... Somethings up.

So I pop into gmail on my computer. up in the header of the message is a spot that says "to me" with a little down arrow next to it.



Clicking on the arrow brings up some additional detail.

Interesting, the name is not mine (I have redacted it, because I don't know the individual or his/her motives, so for now I will try to respect their privacy).


The email is almost identical to mine. with one small difference. Mine has a '.' in it (instead of emailaddress@blah.com, mine is email.address@blah.com. (okay it isn't "blah.com" it's "gmail.com". I wonder how many other providers have the same issue though...

I found the following support doc from google here:
The interesting bit is under the heading
"Your address is similar but has more or fewer dots(.) or different capitalization."
Below are a few relevant snippets...
---------------------------------------------
Sometimes you may receive a message sent to an address that looks like yours but has a different number or arrangement of periods. ...  don't worry: both of these addresses are yours.
Gmail doesn't recognize dots as characters within usernames. ... In short:
  • homerjsimpson@gmail.com = hom.er.j.sim.ps.on@gmail.com
  • homerjsimpson@gmail.com = HOMERJSIMPSON@gmail.com
  • homerjsimpson@gmail.com = Homer.J.Simpson@gmail.com
All these addresses belong to the same person.
----------------------------------------------------------------

okay, first blush this sounds like a convenience, people can mispell your email address, and you will still get the email. How sweet of them.

In this case, a teenager (or two or...) is(/are) using this as a tool to create accounts on social sites, without tying a legitimate email address to it. For what purpose? To increase anonymity for nefarious purposes? To keep it hidden from  their parents?

It appears to the service be a legitimate email address, and if it had been a stale account (i.e. if I were not checking it  once in a while), or If I had just continued to ignore those messages as spam, it mostly would have worked. (The facebook account would probably have died, I think after awhile facebook prevent you from seeing your page unless you respond to an acknowledgement email.Though I can think of at least one way to get around that as well).

At any rate, Google really should have stopped to consider the potential abuse inherent in their email address helper. I wonder how many such fraudulent accounts are out there? And what all are they being used for? Some poor schmoe who hasn't used his email account for a few years could suddenly find himself getting busted for child-porn trafficking or terrorist activities (he might not be checking his email, but the NSA is). I'm thinking Google should probably reconsider this feature.

So now, what am I to do about this? Technically it is identity theft, they are using my email identity for their social activities. But since their is no money involved. I don't see any enforcement agency getting involved. I pursued a scam letter which specifically was a financial fraud not too long ago; I contacted the FBI, the Postal Service (it was a snail mail scam), the police, and the two banks which were listed. Nobody would give me the time of day.

Well, since I have the email account associated with them, I went to the sites, and activated their forgot password service, which sent me an email allowing me to reset the password. They are out, I am in. I poked around a bit, trying to identify "friends" who might be "In Real Life" (IRL) friends, and messaged them, to see if they are in fact friends. My goal with that is to determine if the person does in fact exist, and is in fact who they say they are. There are cases of people building fake profiles for various nefarious purposes. If it is fake I will report it, if it isn't... I  may report it anyway.

But I have learned a couple interesting things from this excursion.
First, I found a phone number of a 16 year old girl. She sent it to the doofus that created this account - he asked her for it in a chat, and she responded. What if I had been a pedophile or serial killer? Just a thought but perhaps teens should be a bit more careful with their phone #'s. Just because you know someone doesn't mean they aren't a doofus.

I also discovered a selfie of a 14 year old (in her "about me" section, or 15 year old (in her profile, directly above the "about me"), posing provocatively on a bed in her bra, with a poster on her main page saying "If you laugh at this I get to have Sex with you!". I won't quote the first conversation on the page, as it might get my blog banned.

Just a suggestion... but parents... might want to become more involved in their kids lives. It might be a good idea to make sure the computer is out in the open, and it might be worthwhile to reconsider the decision to allow a young child to have a personal smartphone.


No comments:

Post a Comment