I received a call from my uncle Bruce 2 days ago – after saying hello I was greeted a friendly yet frantic “I’m in big trouble Brad, my computer has been hacked!”. After getting most of the details of what happened and realising that it was quite unlikely any bank details or other highly confidential details were compromised I arranged to leave work early and see what we could do.

While I spend a considerably amount of my time at work making sure our website is secure I had yet to personally have experienced the wrath of an online scammer. I was intrigued to say the least. Once I arrived we scoped out the problem – one of my uncle’s email accounts had been compromised when he inadvertently tricked into giving away his password. After reviewing the situation it was quite a simple mistake to make, as they had impersonated his email provider in a similar nature to previous contact he had regarding setting his BlackBerry.

It was quite interesting to see how the scammers work. They seemed to have a limited interest in trying to get money out of my uncle directly; they were more interested in trying to impersonate him. By using a line similar to: “I’m stuck in Africa at an art fair with no money, please can you send me £500 so I can get back” they actually managed to get about 3-4 responses from friends offering to help. I’m fairly sure they will also sell entire contact list to spammers for a reasonable fee.

After trying some common techniques for re-enabling access to his account we hit a wall. The scammers had changed all the details required to change an account, such as the alternate email address and secret question. Lucky for Bruce he had his email account linked to his BlackBerry. This they key we needed: by sending a password reset email back to the same address we were able to forward the email to another temporary email address and then follow the usual password reset steps. I say we used a temporary email as there was a chance that this wasn’t going to work, hence we didn’t want the scammer to be aware of another email address, should he check the sent items.

During the password reset process we were asked to provide country information. The scammer would have been asked the same question and it would appear that this is checked against a geo-ip database, hence they were forced to put in a reasonable location of Senegal. They may have been in a surrounding country and were exploiting the errors in the geo-ip database, however the general region seems correct based on the information provided when asking for money.

So this makes me ask the question – why can’t I lock my email account such that it is only accessible from certain regions. Banks have this feature for credit cards, and even if they do get a bit over zealous sometimes and block my card while I’m on holiday it is still a good system. It is my opinion that the leading webmail providers should include an option so that any access from unauthorised regions should be blocked – or at least prevented from making system changes.

For example in my case I would like to restrict access to Europe, North America, Australasia and possibly the Middle East. Perhaps additionally I could state that changes to my account may only be done from the UK and Australia. Should I urgently need to make a change there are family and friends that I could call to make the change on my behalf, or simply use a VPN to gain access via a local ISP.

I would also like to be clear that this would be on a per account basis. I would not like to suggest that we block key internet services from developing countries, as that would surely result in even more hardship for the honest citizens of these regions. The system would not be perfect due to the limitations of GeoIP, however it would have most likely protected my uncle seeing as the hacker came in from Africa, a place he has not visited in many years.

Webmail Security GeoIP Hide