So when Robin suddenly started getting prompted to enter her Apple ID password on her phone,and her password was not working, my first thought was there was a problem at Apple. They just re-did the Apple ID page on Friday. So I figured it was related.
We soon realized it was not. When we had trouble finding the password reset email from apple – I did some digging and found some new filters added to Robin’s gmail account.
So that’s why we could not find the email from Apple. Email from Apple, Nordstrom, and Costco were being forwarded to email@example.com and then deleted.
So first things first. Change the gmail password, then enable two factor authentication on her account. Next delete the filters added by Robins attackers.
Looking at the login history for google, a couple of strange logins…
Seems that Robin has been traveling a lot these last couple of hours, and using Chrome and Firefox (she does not) … Tumwater is kind of close to home.
Now on to those accounts, first Nordstrom. Yep, several payment methods added to our account – all of them stolen cards. Over a $1,000 in purchases (perfume) sent to different addresses around the US. Quick call to Nordstrom and it’s taken care of. Note: one of the packages was being delivered to Robin at our address.
Head over to Costco. Yep, same thing added payment methods for cards that are not ours, orders sent to multiple deliveries – one of them the same name and address from the Nordstrom order.
On to Apple.com … One Gen 4 Apple TV to be delivered to Robin at our address on a new payment method – a card that was not ours.
So it was tense couple of hours as I tracked this stuff down, and give Robin a quick education in two factor authentication.
So two things that worried me, why have some of these items delivered to our home. When Robin signed onto her Costco account it worked, which meant they had not changed her password.
So it turns out that Robin has the same password for both Costco and her email. She assures me that these are the only accounts using that password.
So the good news is I stopped them dead in their tracks. All their orders have been cancelled and they no longer have access to Robin’s mail.
However, two packages were slated to be delivered to our door, and there is that Tumwater address… Good thing we have a camera on the front porch. I just might work from home for a couple of days this week…
Oh, and a quick phone call to godaddy.com where the domain startconfig.com is parked to let them know it’s been misbehaving.