HACKED!

So when Robin suddenly started getting prompted to enter her Apple ID password on her phone,and her password was not working, my first thought was there was a problem at Apple. They just re-did the Apple ID page on Friday. So I figured it was related.

We soon realized it was not. When we had trouble finding the password reset email from apple – I did some digging and found some new filters added to Robin’s gmail account.

Screen Shot 2015-12-12 at 3.54.32 PM

extra filters

So that’s why we could not find the email from Apple. Email from Apple, Nordstrom, and Costco were being forwarded to root@startconfig.com and then deleted.

So first things first. Change the gmail password, then enable two factor authentication on her account. Next delete the filters added by Robins attackers.

Looking at the login history for google, a couple of strange logins…

Screen Shot 2015-12-12 at 5.21.50 PM

 

Seems that Robin has been traveling a lot these last couple of hours, and using Chrome and Firefox (she does not) … Tumwater is kind of close to home.

Now on to those accounts, first Nordstrom. Yep, several payment methods added to our account – all of them stolen cards. Over a $1,000 in purchases (perfume) sent to different addresses around the US. Quick call to Nordstrom and it’s taken care of. Note: one of the packages was being delivered to Robin at our address.

Head over to Costco. Yep, same thing added payment methods for cards that are not ours, orders sent to multiple deliveries – one of them the same name and address from the Nordstrom order.

On to Apple.com … One Gen 4 Apple TV to be delivered to Robin at our address on a new payment method – a card that was not ours.

So it was tense couple of hours as I tracked this stuff down, and give Robin a quick education in two factor authentication.

So two things that worried me, why have some of these items delivered to our home. When Robin signed onto her Costco account it worked, which meant they had not changed her password.

So it turns out that Robin has the same password for both Costco and her email. She assures me that these are the only accounts using that password.

So the good news is I stopped them dead in their tracks. All their orders have been cancelled and they no longer have access to Robin’s mail.

However, two packages were slated to be delivered to our door, and there is that Tumwater address… Good thing we have a camera on the front porch. I just might work from home for a couple of days this week…

Oh, and a quick phone call to godaddy.com where the domain startconfig.com is parked to let them know it’s been misbehaving.

This entry was posted in All. Bookmark the permalink.

4 Responses to HACKED!

  1. Jeff says:

    Update…. we could not stop the apple shipment in time. It’s still coming to our front door. They may be aware of this or not… so I will be here when the shipment arrives. Should I place a box of rocks on the porch for when they do? Anyone have a dye-pack?

  2. brock says:

    nice work jeff

  3. Jeff says:

    We talked to Apple.com on Sunday and they are trying to stop the shipment in transit. It’s really bugging me that two packages were being delivered to our door. Were they a mis-guided “thank you gift” for then gaining access to the accounts? Was that Tumwater access someone who was going to track the packages and pick them up at or door? Sigh…

  4. Jeff says:

    I just received an email from another victim – only this time they forwarded/deleted “all of his email” to root@startconfig.com.

Leave a Reply

Your email address will not be published. Required fields are marked *