Hacked, Sort of … Maybe … IDK
Shelly Palmer
Professor of Advanced Media in Residence at S.I. Newhouse School of Public Communications at Syracuse University
On June 17, 2015 circa 11:48am ET I received a very nice voicemail:
“Hi, this is Tim from Google AdWords. It looks like you have set up a new account … We typically set up like a 30-minute consultation to talk about the account, make sure you have your goals … etc.”
Awesome! Except I didn’t set up a new Google AdWords account.
At 2:46pm ET the very same day a robot, calling itself Ariel, left a voicemail offering the same free consultation. (BTW, robocalls suck! If this article were not about getting hacked, I’d be ranting about robocalls!)
A normal person would probably have called Google back immediately, but I was traveling abroad, so I shot a quick note to the staffer I thought might have set it up and asked what it was for. After several “I don’t see any new AdWords accounts” and “Are you sure one of the summer interns didn’t do it?” and “Well, if you didn’t do it, who did?” conversations, and after checking all of our billing accounts, we just let it go. Clearly Google was mistaken – we didn’t have anything new or unusual running and no one on our staff would have used my credentials to open a new Google AdWords account. Or so we thought.
Fast-forward to July 10, 2015. I got an email from Google AdWords to my private email account thanking me for my payment.
Payment? What payment? This is my personal, private email account; it’s not tied to Google AdWords or anything else for that matter. Had I been hacked?
I didn’t recognize the Google AdWords account number or billing ID and I was very confused about how this email address could be associated with a business transaction.
Before I go on with the story, I want to commend Google for (1) having a phone number to call and (2) having knowledgeable customer service representatives who are capable of thinking for themselves. I spent 20 minutes on the phone with a remarkably patient, thoughtful gentleman at Google who answered both hard questions and, in my case, some pretty stupid ones. Whatever they pay him, it’s not enough!
It turns out that someone set up a new Google AdWords account using a woman’s name and address from East Stroudsburg, PA, a nonworking internal phone number from some random company, an American Express card ending in 1008 and my email address.
I’m not sure how this was accomplished or what was accomplished. Only my email information was used. Not my address, not my phone number, not my credit card (or was it?). Did they have my email password? I logged in with no effort, and clearly they did too – but to what end?
The “hacker” set up Ad Group #1 with this ad.
The improperly worded ad links to a totally obscure website ranked 14,983,965th on Alexa. There is no obvious benefit here.
The Plot Thickens
Google’s customer service confirmed that an American Express card ending in 1008 was charged as the email indicated. We also confirmed that Google had suspended the AdWords campaign for noncompliance (although he would not tell me exactly why). He also confirmed that only one charge was made and it was for $24.86. He also confirmed that if it really wasn’t me (which he assumed was true, but someone on the fraud team would have to review and confirm), I would be entitled to a refund. All good … maybe?
American Express
My next call was to Amex to ask about a card ending in 1008. That’s not a last four digits I recognized, but I just wanted to understand what happened. Perhaps this was an old card number or an expired or replaced card that was still being honored on my current account?
It took Amex Platinum customer service about three seconds to assure me that there were no charges from Google, flag my account and assure me that (as suspected) a card ending in 1008 was not associated with my account in any way and I was not to worry about it.
So What Happened?
Did someone hack me? Hack Google? Hack that woman in Pennsylvania? Hack the person whose Amex card ends in 1008?
I changed my password (which is all I could do), and I’m waiting for the Google team to explain this to me. Clearly Google ran a few ads from a fraudulent account, but who was hacked? Was this a test to see if a certain vulnerability at Google could be exploited? Is this a precursor to a big money attack? Is it just a mischievous kid flexing his nascent hacker muscles? Is it the Chinese Government getting ready to crush Google?
Unless I received the email from Google confirming a payment I didn’t make for an account I didn’t open, I never would have known about any of this. To tell you the truth, I still don’t know what happened – do you?
About Shelly Palmer
Named one of LinkedIn’s Top 10 Voices in Technology, Shelly Palmer is CEO of The Palmer Group, a strategic advisory, technology solutions and business development practice focused at the nexus of media and marketing with a special emphasis on machine learning and data-driven decision-making. He is Fox 5 New York's on-air tech and digital media expert, writes a weekly column for AdAge, and is a regular commentator on CNBC and CNN. Follow @shellypalmer or visit shellypalmer.com or subscribe to our daily email https://ow.ly/WsHcb
Going out there
9 年Melody Kromer, Anonymous OS X isn't even legitimate and was never actually even conceived of by Anonymous. Anyone who is even foolish enough to install that operation system gives away everything from their files, password, activity, everything to hackers that are in actuality completely separate from Anonymous. I don't recall which group it was that took credit for the operating system off the top of my head, but anonymous OS X is actually entirely useless for anyone and everyone. It's only purpose is to solely to steal information. They even went out of their way to be far too redundant and overly cautious with that operation system as well. Caused it to have problems. Point is, anonymous OS X isn't hacking you. It couldn't. Secondly, the skills of the hackers of anonymous far exceed that used in this OS, it's clearly a ploy to use Anonymous' reputation to a separate group's advantage. And last but not least, if what you're saying is true you are merely being targeted. Not only, but played with.
Senior IT Recruiter at Kaiser Permanente
9 年My LinkedIn account getting hacked again and again from anonymous OS X :(
Promise software... I know.
Ultra High Performance Resilient Data Privacy Security and Infrastructure Architect
9 年The real question is how can an account be created with a fraudulent email and wrong? With a validated Credit card and still have a campaign go through, even though no earlier validation communications with his email account regarding the original creation? Either the validator has a flaw in the code logic or (unthinkable), internally someone created this and created a back door for someone to skim minor amounts of money that most would overlook? I believe that Google is 100% safeguarding their product (code) to avoid hackers and doing self reviews daily as we all do as we improve our code and ourselves. As for the no call back, the employee should have kept his word as it tarnishes the integrity of their staff if they fail to return the call. Thank you for sharing.
Owner, we're tops screenprinting/sports southwest
9 年It's a mess in the clouds. Thanks