Best way to handle identity theft incident?

Question

A user's email is hacked, contacts copied, and similar emails (look alike emails with minor spelling differences) are created by the attacker with the same name and avatar, sending relatively well crafted and highly targeted emails to his contacts, mostly of the type "this is an emergency, send me some money now".

This happened to a friend months ago. He was able to retake his email, however the attacker is still very active. In one incident, the attacker was very close to convince my friends' bank account manager to transfer a hefty amount of money to a Western Union account in Thailand! The account manager called my friend because the money transfer details were missing one little information, and that is how it was stopped.

What's the best way to handle such a case?

Here's what I have and what I tried:

1. Calling Yahoo to block impersonating emails - after a 25 minutes international call, they said they cannot help (?)
2. The bank account manager email has a Western Union address, with name, address, and phone all in Thailand. What's the proper way of reporting this? does it help to do so?
3. I have text-dump of the email headers -- I'm not an expert but wouldn't that include the attacker's IP? assuming this is correct, should I attempt to report this IP? to whom?
4. In some of the emails, the attacker instructs recipients to go to a phishing website where they are asked to login using their email credentials. The website is hosted on free web hosting service 3gb.com

I can share all details (WU details, email dumps, website) in a paste bin if it is acceptable per SSE policy. The fraudster have been a major pain. Any suggestions are welcome.

Answer 1

The best advice I can give you is to contact a lawyer or law enforcement agency in your country to seek advice. The laws regarding such matters vary from country to country so it is best to contact a professional in your country.

Legally and practically speaking, there isn't much you can actually do to stop the fraudster, especially if he is located in a country not known for their computer laws. You might consider changing your email address to something totally different and cannot be confused with, and inform all your friends/contacts about the possibility of them receiving a scam email.

Answer 2

First, protect yourself.

1. Download an anti-virus scanner and scan your hard drive. Download Malware Bytes and use it scan your hard drive. Fix any malware found.

2. Change your email password at Yahoo. Change the security questions. Set up two-factor authentication, if Yahoo supports it (if not, you might consider switching to an email provider who does). If you have a backup email address, do the same with that one. Change your passwords on other major services, too, just in case. Change your Facebook password, if you use Facebook. Change your password.

3. Call your bank and ask them to put a fraud alert on your account. I've done this with my bank (tell them you've been a victim of attempted identity theft, if you want), and they were happy to do it. At my bank, this meant that I had to set up a 4-digit PIN with them and any time I call in by phone, I'm required to speak to an operator and send the PIN. They also have additional protections put in place for accounts that have been flagged this way.

4. If you have a business account for online banking, ooh boy, and start using more secure practices for it: log in with a LiveCD, etc. Ask a separate question if you want advice on how to do that.

Then, report the thief. It probably won't make a great deal of difference, but it might inconvenience him, and if everyone did it, maybe they'd be that much less likely to bother others.

1. Report this to your police department. They probably won't do anything, but you can ask for a police report, which might be useful in the future if you discover you've been a victim of identity theft due to this incident.

2. Contact Western Union and give them the account details and the attempted theft. Ask them to block the account. They have information about how to file a complaint online and more information about how to contact them about fraud.

3. Notify the free web hosting provider of the phishing site. 3gb.com doesn't seem to exist, but if it is my3gb.com, try emailing abuse@my3gb.com. You can report the phishing sites to a number of folks who operate phishing blacklists; this will help protect others from getting phishing. I have compiled a list of places where you can report phishing sites.

4. If you have the IP address, you can report it at blacklisting services suggested by @Rohan Durve - Decode141.

5. Look through the headers on the spoofed emails, to find what provider he is sending them through. Usually you can figure this out by looking at the Received: headers (usually the bottom-most, last one is the one that shows the original source of the email). Then, complain to the provider. Send a copy of the complete emails, including all headers, to the provider and complain -- they will often shut down the account. The address to send complaints to will vary by provider, but if it is not listed online, often abuse@theirdomain will work, or you can check the abuse.net database to find out contact info at that email provider.

Answer 3

As mentioned by Terry Chia, I'd strongly recommend,

You might consider changing your email address to something totally different and cannot be confused with, and inform all your friends/contacts about the possibility of them receiving a scam email.

If you live in the US, and if you can document that your loss is >= $5000, you can call the FBI and they will most likely take it on as a federal case.

Besides that, you can learn from the Wired journalist who famously got his whole digital life hacked. There is an update to his saga: Mat Honan: How I Resurrected My Digital Life After an Epic Hacking.