No Apple Account yet they steal my money

[leon]

Hi Guys,

I do not have an Apple or Itunes account however i have been billed and money taken out of my account, for some thing, I have never heard of and then they say if this is not from you go to some site and change your password.

I don't have a password as i don't have an account

I is called Fortnite 6000 (+1,500) V Bucks.

We have a special account in which we deposit the bare essentials if we need to purchase something on line.

So how dose this happen and what is my be solution.

Leon

[brisen (Brian)]

Hi Leon

I assume you have received an email with the request to change passwords? Don’t click the links as this is likely to drop malicious code onto the computer. Contact the bank and let them know your account has been debited without your authority. They will investigate and generally return the funds once this is found to be fraudulent.

Brian

[Wavytone]

Leon it’s fake.

[leon]

Thought it may have been a fake, I have contacted the bank and they have dealt with the card and issued a new one, with in about a week.

Brian I did actually click that link as i thought it may help me resolve the issue, and it said exactly what you explained about passwords.

I did delete the email and did a virus scan, all seems OK so far, so do you think all will be OK now, or is there something else that I should do

Thanks for your response.

Leon

[Dennis]

Hi Leon

I occasionally receive e-mails from so-called banks, stores and financial institutions that I have never dealt with and because I have never interacted with them, I just drag them into my Spam folder without even looking at them in the Reading Pane – I just see the Subject Line in the Header.

I understand that if the e-mail also contains some type of active content, such as logos or images, when you view the e-mail body text in the Reading Pane it may indicate that you have viewed the content, so I never view these in the Reading Pane.

Basically, these ratbags have somehow harvested your e-mail address and just send these fake e-mails out, hoping that someone will bite.

Sometimes, when a certain bona fide bill is due and I receive an authentic e-mail invoice, or when I have actually made an on-line purchase from a reputable supplier, by sheer coincidence a scam e-mail may arrive, and sometimes the social engineering and content appear quite authentic, forcing me to pause and think quite clearly to identify it as a scam. If in doubt - take your time and establish the facts, think it through and don't click anything if you are in a rush.

Generally, if an e-mail threatens you with e.g. cutting off a service and doesn’t have other data such as your real name, then I would treat it as highly suspicious.

Cheers

Dennis

[leon]

Thanks Dennis i will be more careful in the future, all seems OK though, I usually never fall for this stuff and here we are

Leon

[sil (Steve)]

Leon, at this point only you can answer this question and don't answer here for everyone to know. But if you entered any sort of password at all into this wepage, maybe you entered your "usual" password just in case you'd forgotten this site or whatever reason then EVERYWHERE you have ever used that password you need to get changed. the scams are about data collection ultimately, they have little interest in attacking YOU but with traffic logs and things like advertising data collections which are easily purchased they can link your IP address in various logs to start putting together bits of information needed to impersonate someone.

So first step is the social engineering part where they try to panic you and then offer hope and a "safe" way to check, once you click that link you go to a website that looks legit but isn't... your ip address has been collected now the webpage asks you to "confirm" information by answering questions, things like name, username, date of birth, password, whatever. these are all data points now tied to your ip address they've now gathered from you whether you submitted the form or not, they will use javascript in the background that sends every keyboard input back to a server somewhere without you knowing. They may have purchased a marketing database from amazon or google which contains ip addresses and other personal info like credit card details but not passwords but now they can link what you've just given them to what they have from another source and suddenly they quickly have your name, address, phone, credit card details, online username and password etc, everything a growing identity thief needs basically to ruin your life for their own profit.

theres more to it and other methods too but gathering little pieces of information by whatever means and putting them together is the aim, rarely this is done by someone who will use it, more often they compile a complete database of people and sell this on at $X per identity to a criminal enterprise to use in various ways. because its all electronic when things go wrong you might find it impossible to prove you are YOU when someone else can prove it just as effectively.

So anything you typed especially passwords need to be changed. people are creatures of habit and use the same password everywhere because its easy and its usually a regular word, not a random character string including upper and lowercase letters, numbers and symbols too. plus they almost never change them until damage is done.


Fact: online scams, email scams, phone scams are all negated if you take notes on paper, NEVER go to a web address, NEVER click any link in an unfamiliar email (hell, just never from anyone really). You could try to be proactive and seem interested and get their contact details and say you need 30min to go check something before getting back to them. The get online, go to a reputable search engine like Bing or Google, search for the corprate entity the person claimed to be from, for example Commonwealth Bank regarding your account (many people have accounts with them so a guess in this direction will reach many people who the "issue" could plausibly apply. This panic and confusion gives them to control your next steps. But instead contact the entity yourself through publically available contact avenues and ask them if there's a problem with your account and tell them you were just contacted by someone etc... some places may put you through to an investigator to get any information they can from you on the person contacting you so they can help build their own database of scammers that feeds into criminal investigation units that do pursue them and help instigate measures to block them.

Bottom line, ANY business you interact with has an easily found set of ways to contact them from their website, so go find their webisite yourself (dont trust addresses or links given to you) and enquire for yourself. Some banks actively track your spnding habits too and will freeze your account if suddenly odd activity is noticed (like daily withdrawls of maximum limit on account etc) and will send you a letter in the mail for you to contact them to sort it out. its an inconvenience all round these scams and banks are happy to help you because it costs them too.

Scams can come for anywhere really. usually its a complete stranger though via email, social media, phone, etc. It may be a laughably implausible story they spin but its done in bulk to millions around the world at a time. a small enough percentage get suckered in to take the first step involving giving them information or control and the story progresses while they get more from you. Victims often feel ashamed when they realise and rarely speak up about it. Always though, if in doubt you can find the claimed business and contact them yourself through publically obtainable channels. And confirm the alleged emergency for yourself. Even if its real like they were trying to reach you for late fees or something you wont get into trouble for taking a safe method to contact them.

Yes people do suck and some go to extraordinary lengths for apperently little gain. And people also happily give up their own security on the flimsiest of pretexts and even pay for it, thats how 9/11 worked. security and cybersecurity in particular is not in the governments interests to encourage the public to know much about beyond the media spin they control. if you look into the recent history of encryption which is essential in online financial transactions but for private citizens to use could get you thrown in gaol and electronic devices were required to have government known backdoors to get around encryption. this world exceeded the vision of 1984 a long time ago.

those "fun" watercooler office email games that go around like "take you first pets name and your mothers maiden name and you have your porn star name", you've also just given out the answers to two common security questions without thinking about it.

sorry Leon if you got taken in by someone, you're not the first and wont be the last. its often your own fault for not contacting the organisation yourself to see if its all for real or not. the scammers meanwhile learn better ways to lie and what stories work best in various countries and demographics.

you may notice NONE of the above has anything to do with computer viruses etc. No antivirus software will protect you from your own gullibility.

[leon]

Thanks Steve just to keep it short, I clicked and looked but offered nothing and then deleted the whole thing.

The bank was notified immediately and the card has been cancelled and a new one with a different number has been issued, not that it has been activated as yet.

Many thanks for your detailed response.

Leon

[sil (Steve)]

Quote:

Originally Posted by leon

I clicked...

thats the root cause there. Most people are not away that a hyperlink is not JUST a hyperlink and doesn't just do one thing like to to a webpage. Embedded in the emails can be a scripting language that activates on a mouseclick inside the email where its active. so looking is not just looking.
by displaying the email in the first place you have to be logged into a computer and a piece of software etc. All of which required your permission so you've logged in somewhere along the way and most people's account on their home computers are essentially and administrator level account so you can do anything like install or remove programs or whatever you want right? with me here? the way computer permissions work is by inheriting from the top down so when you log onto your computer the mouse and keyboard control software and drivers have inherited your admin level permisions otherwise every mouseclick or keyboard stroke they would ask you to login in again. The window UAC system many find intrusive is a compromise barrier to help protect people from their own idiocy of "knowing better", which they just dont.

In plain english, buy just viewing an email its already inherited a number of permissions to do various things which can include scripting languages (nothing to do with viruses) that can make working with emails nicer and easier but provides cracks for exploits to be run. by then clicking on the link, any link, you've just given implied concent and addition permission priveledges to the email and its scripting. This scripting may not even do much itself but typical attack vectors are because its now been given enough permission to talk to the internet, read and write to your hard drive it may do something like download a tiny installer quickly while it has internet access and you may see a pop up saying you need to run this security patch. This is just a message box that can say anything at all and an ok button, but what it usually is is a piece of code maybe powershell that will create a somewhat hidden user account with the same admin level of permissions as you have since you can do that as an admin. so it gives you a message of bs with a button, pressingthe button is an action requiring permission to execute the code so in effect you as an admin have just told given permission to a bot of code to elevant its permissions and/or create an account with the same level of access as you yourself. this means it can now go and download larger programs in the background since it no longer needs your permission, is has same access as you do so requires no interaction from you anymore. It can add things to run at startup like a keystroke logger and can look for files on your drives and network and send them off in the background. As well as now installing other forms of viruses and malware. Your internet security software isn't much help because from a technical level a bit of code asked your permission to do something which you granted (unknowingly) so it thinks all is well until this initial bit of code starts running something malicious thats known. so they use a bunch of things and if virus scanners kill those it doesn't effect the original item and how these things can sit dormant on a machine for a long time.

So not just for Leon but for everyone. This advice is always given but never followed by people. But its there for your own protection and you as computer users are a bunch of useless idiots. Seriously. Offended? Tough you should be and take note to stop continuing to be one. Its like people who drink and drive, sure in practice you may make the 1km drive home each weekend but run over one person and its not bad luck, its entirely your fault for continuing to do the wrong thing all the time, knowingly. Argue your case all you want, still the attack victim is you not me. Computer and Network Security has always been a part of my life both working and personal. Call me a Grey Hat if you want but I get paid for this stuff and end users are certainly idiots and can only give advice on what to do to protect yourself. Its NOT a debate. Every person's computers including my own are under constant attack and it only take one smart ass to think they know better and click that link just to look to start the avalanch. And because it doesn't become apparent at the moment doesn't mean it hasn't started. When I say they can do absolutely anything you need to fully comprehend that, its not just simple obvious things, but damn complex and obtuse things. Just because think something isn't worth someones effort to attempt you can be certain at least a dozen ARE doing it.
you'll do whatever you want regardless so good luck with that, genuinely trying to help here so not going to baby you all, the truth hurts but its still the truth.