This morning, a family member’s gmail account was hacked. This, in and of itself, is not particularly newsworthy. I had an old hotmail account hacked a few months ago that was using a simple password; someone probably brute forced it. My account was just used to send out lame V1AGRA ads.
On its face, this one wasn’t much different. The hacker used the account to send this to everyone in the contact list:
I’m sorry for this odd request because it might get to you too urgent but it’s because of the situation of things right now,I’m stuck in London UK with family right now,we came down here on vacation ,we were robbed, the situation seems worse as bags,cash ,credit cards and cell phone were stolen at GUN POINT, It’s such a crazy experience for us,we need help flying back home, the authorities are not being 100% supportive but the good thing is that we still have our passport but don’t have enough money to get our flight ticket back home, please I need you to loan me some money(1000GBP) but I will appreciate any amount you can help with,B’H I will reimburse you as soon as I’m back home, I promise
I helped with the password change and recommended Lastpass, the helpful (if ugly) service I started using after it happened to me. But this kept nagging at me. First, the spammer was far more malicious than the one who hit me. Instead of shilling sketchy blue Bob Dole enhancers, this was was an actual thief. Second, the con had surreptitiously changed the gmail settings so that all future emails would be forwarded to a hotmail address, then deleted – a very personal invasion. Third, they deleted all of the contacts stored in the account – probably to make it harder to notify people and prevent them from being warned, but a cruel thing to do nonetheless.
So something drew me back, and I read the email one more time.
This is not something you see in your typical Nigerian con.
The mark B”H is an abbreviation for a phrase that means, roughly, “Blessed is the name”. Some orthodox Jews use it regularly in every email at the beginning; it can also be used as one might say “Thank G-d” in conversation.
2% of the US population is Jewish. 0.2% of the world population is Jewish. This is a seriously weird thing to put in an email designed to part people with their money.
Unless, that is, you know in advance that those people are Jewish. Then it’s a pretty cunning way to get the recipient to overlook the fact that your grammar is terrible, your story is hard to believe, and you can’t really corroborate your story with any details.
It’s hard to brute force passwords, but you usually start with a list of usernames drawn from public spaces. How do you decide which usernames to attack? Perhaps you start by screening for Jewish last names…
Has anyone seen or heard of anything like this?