Am I A Victim? – Reverse Social Engineering (Not Necessarily the IT Security Definition, But Close)

About a year or two ago, someone used my Gmail address to sign up for Facebook.

My GMail address had been my go-to spam email. (since I got my Google phone, it’s become my primary email and my domain email has fallen by the wayside. I still use it, but only for official/important emails).

I never wanted Facebook, or any other social media anything back then. When I got the confirmation email, I ignored it. I first thought it was nothing more than spam. Then I kept getting emails for friends requests and messages on Facebook. I decided to see if I could log in and delete the account. I know I didn’t have the password, but the “forgot password” option sent me the link (or password, I can’t remember anymore) to my Gmail and I was able to gain access to the account.

I logged in and started deleting all the info off the page. It offered to “import your friends from Gmail” and I was curious. So I clicked it. And O.M.G! I found friends I hadn’t had contact with in 20 years. I found friends from my high school. And they remembered me! WOW!

So, that’s how I got my Facebook account. And that was the last I heard about someone using my email address.

Or so I thought.

It started back up again about 9 months ago. I now have a Pandora account. I have a bunch of service accounts, online gaming accounts, and accounts for children’s education as well as gaming accounts. All of which I’ve changed the password to.

I started off deleting the accounts, but the person would re-sign up with MY email address over again. So, to stop that, I just kept the account, changed the password on it, and left it alone. Eventually, they will delete it. Hopefully, she’s re-registered with her PROPER email address.

I wonder, how many times does it take for someone to realize they are using the WRONG email address and to be more careful? Really. How long?

When I first got hired into IT Security field, I dealt with this thing called PKI, Public Key Infrastructure. It’s a neat little tool that places authentication and encryption on your email based off something called PGP (Pretty Good Privacy). No need to go into the details of it as most of you would be bored to tears. 🙂

At that time, it was only a pilot program. Now, it’s required for all military and government emails. So, when I got into this PKI program, I learned of an awesome website called ThinkGeek. They operated out of a small closet back then. But I got my “I READ YOUR EMAIL” T-shirt from them back in 2000 (they don’t sell it anymore, but other places do).

That T-shirt is so appropriate now.

So, now I have all these accounts, with my email address tied to them. Spam is at an all time high. Even Gmail’s spam filter can’t capture them all. It’s annoying and frustrating to say the least. I have to take time out of my life to go “fix” all these accounts so I don’t continue to deal with even more unwanted email that I DIDN’T SIGN UP FOR!

Last month became even more troublesome. There were continued emails from Microsoft Account Team. At first, I thought it was a phishing scam. I searched everywhere for something about it. Nothing.

It happened once or twice in two weeks. No big deal. But then, I kept getting them back to back, over and over again. I started to freak out about this time, because I just read a couple of articles on Kotaku about people hacking xBox Live accounts and selling them on the internet.

I’ve had 2-step security on my Gmail account ever since I noticed someone attempting to log into my Gmail account from another country….I’ve never lived in. This 2-step verification is relatively new for Microsoft but I’ve had it implemented for some time now.

I logged into http://account.live.com and the links were legitimate. I’ve been changing my Live password each time I got these emails. But they still kept coming.

I tested the 2-step verification process myself. When I went to the “Billing” menu, that’s when I would get the 2-step email verification. So, either someone has access to my account, regardless how many times I change my password, or someone set up their Live account with the wrong email address. My guess is the latter.

So friggin’ frustrating!!! This could very easily be considered cyber harassment.  Not in the sense of bullying. But the fact that I continually get emails like this, have to change the passwords, contact the service to have them stop sending me emails, change my password, all takes time away from what I need or want, to do.

So, now that I THINK I have this under control….for now…I get an email the other day, setting up yet another account for a service I don’t want. But this time, the account verification email sent me her full name, username, and password.

I went to change the password on this account, like I always do, and when I logged in, I found out her work email, mailing address, and phone number. I’m like WHOA! In the wrong hands, this could be absolutely dangerous. Identity theft, stalking, even death. You just don’t know what people will do with personal information like this.

Because I work in the IT Security field, I am naturally paranoid. I’m not worried so much for me, as I am for the person who’s too stupid to remember their own email address! If left un-addressed, what will I get next? What other information is she carelessly throwing around to other strangers out there? I shudder to think of the possibilities. 

I’m not mean. I’m not manipulative. I’m not a bad person. But I could ooooh soooo be one with this information.

I dubbed this “Reverse Social Engineering” because it is personal information freely given to someone else, but I didn’t ask for it. However, this is not the proper definition of Reverse Social Engineering. Symantec defines it as “when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around.”

This is hardly the case here. But it is appropriate. Like I said, it’s information, given freely, to an unsuspecting stranger–Me. But lucky for her, I’m not malicious.

Now I’m going back and forth with myself. Do I contact her? Or do I leave it alone? If I contact her, will she take it the wrong way? Will I be in the wrong? Would I be considered the stalker? The harasser? The cyberbully?

The use of a wrong email address is not a legal issue. Having someone else’s personal information is not illegal. It’s how you use it. I’ve been trying to locate any information of someone else having this type of problem, information regarding how to stop this, how to safely contact the individual to inform/educate her. I’m torn. I want to help her, but fear the reprisal if she takes it the wrong way.

What do I do? What would you do?