But just as I was rolling into the pre-op room in the hospital with Brooke, a few hours from going under the knife and changing into my sweet gown, she gets a text from one of our friends.
"Your email has been hacked."
Immediately, every thought about the surgery went out the window. All of those hours of worrying anxiously about ankle reconstruction disappeared. Here I am, a computer scientist, and my wife might have a virus. She uses an Apple MacBook!
Right then, a nurse comes into the room to measure my vitals. This measurement includes my blood pressure. Needless to say, it was high. Not because I was in pain. Not because I was nervous. I was worried that all of our money was gone.
Just after I got out of surgery, Brooke found an Internet connection and changed her email password. She had about a million emails from people telling her she had a problem.
When we got home two days later, I did some investigating. Well, I call it investigating. But given the massive amounts of pain pills I'm taking, maybe others wouldn't call it that. We also changed just about every online account password we know.
Someone on March 1st had logged into her email account and sent the following spam message to almost everyone in her contact list (I didn't get one):
Subject: I have a surprise for youDo not click on that link unless you know what you're doing. The domain name registrar is a company in China called Xin Net Technology Corporation. Apparently, they're known for spam.
How are you ?I am pleasant to tell you that I just found a good online
store engage in famous brand handbags.They are all in top
quality,affordable price,and elegant appearance.I think they are
wonderful articles,maybe you will have the same thoughts after you go
May you have a happy shopping journey there~!
The IP address of the person that logged into her account on March 1st is 184.108.40.206. The host is still up. A traceroute to the IP address stops working after about 16 hops. But the last hop to report back is pc86.zz.ha.cn. The hop just before that is hn.kd.smx.adsl. There's this pretty awesome website that reports on "offensive" IP addresses. Here's one for hn.kd.smx.adsl.
The website from the spam email is pretty ridiculous. They're posing as a store front to steal credit card information. Most updated browsers will immediately report to the user that it is a fraudulent website.
We're not absolutely sure how Brooke's email account was hijacked. I haven't had a chance yet to look at her MacBook, but I don't think she has a virus. I suspect that the applications she uses for school might be the problem, i.e. Blackboard. One of them had her log into her email without using encryption.
I was going to check OpenDNS.org for any odd queries made while we were away, but I forgot that I keep my wireless network open for anyone to use. There were some ridiculous queries in there that have made me reconsider keeping it open.
Right now, I think only her email account was compromised. And as I get off of the pain medications, I'll continue to take a look at this. To my computer scientist friends, please feel free to investigate on your own. If you need any other info, just let me know.