trevordaniel2
Member

Account Hacked - Money Stolen

Hello,

 

I would like to share my recent experience and hopefuly get some views on how it happened.

 

So, here's the story...

 

It first showed up when I could not log into the Upwork wesbite. It kept telling me that either my username or password was incorrect.

 

I then attempted to get a password reminder and it tells me that my username was not found.

 

I then attempted to log a problem but could no because i wasn't able to log in....

 

I then contacted Upwork view the "anonymous" contact system. I wrote a detail explanation and sent it off...

 

I had no confirmation of the problem being recieved or acknowledged.

 

The next day I attempted to open another "anonymous" ticket... again it was sent and I received no acknowedgement or response.

 

I then decided to tweet to @UpworkHelp... with no response for 8 hours....

 

I then decided to phone Upwork in Los Angeles from here in the UK....

 

So, this is where it all gets scary....

 

The lady i spoke to at Upwork tried to confirm my email address and said that it was incorrect.... She asked some other identification questions and was happy i was genuine...

 

So, somebody had gained access to my account and changed the email address..

 

I received NO notification from upwork saying my email had changed....

 

It was decided at this point that my account had been hacked and it was escalated to the Account Security team...

 

I was then contacted by a very helpful chap from the Account Security team and he informed me that an addition payment method had been added to my account and $909 taken.

 

I had no notification from Upwork that the additional payment method had been added.

 

I had no notification that a withdrawal had been made..

 

I have no idea how they managed to add another payment method without knowing the answer to my "secret question"....

 

I am completely confused how this has manage to happen and quite annoyed to lose $900!

 

I am also very worried that it might be possible for this to happen again!

 

How did this manage to happen without me knowing anything about it????

 

Can anyone suggest how this hacked managed to do it?

 

Trev

46 REPLIES 46
setumonroe
Member

Sorry to hear all of that Trevor.

What was the solution that was offered? if any.
---- easy like Sunday morning ----

The solution was that the guy from the Account Security team helped me take back control of my account...

 

He said that as the hacker had changed my email address i would not have received any notifications...

 

They attempted to recall the payment that was made to the hacker on a "Payoneer" account and they recovered $11.29

 

Trev

This happened before and will continue to happen as long as Upwork doesn't implement two step authentication.

 

And I seriously doubt they will.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

Agreed....

 

I am scared how easily it happened and at a loss to how to stop it happening again!

 

Trev

The cause was probably phishing. Maybe a Word or Excel document with macros, or a link to a look alike web page where you innocently entered your Upwork's credentials, ...

-----------
"Where darkness shines like dazzling light"   —William Ashbless

I'm not an expert but I tend to agree with this.  I have two step authentication on my Blizz account (because people want to steal my l33t account) and on my bank and credit card accounts.  

 

While good computer hygiene is important and ultimately our responsibility, 2-step authentication is just another layer of protection that can be really valuable.


@Rene K wrote:

This happened before and will continue to happen as long as Upwork doesn't implement two step authentication.

 

And I seriously doubt they will.


 

lysis10
Member

I keep reading these stories that no additional payment method emails were sent out, but I think people just aren't paying attention. I added a PayPal account to my account and I got an email like 3 minutes later.


@Jennifer M wrote:

I keep reading these stories that no additional payment method emails were sent out, but I think people just aren't paying attention. I added a PayPal account to my account and I got an email like 3 minutes later.


On the email address registered with Upwork I guess.

 

You see the flaw now? 

-----------
"Where darkness shines like dazzling light"   —William Ashbless


@Rene K wrote:

On the email address registered with Upwork I guess.

 

You see the flaw now? 


 So I take it there is no confirmation of an email change? I have no idea cuz I ain't nevah been hacked.

 

That sucks if there is none. Them phishers are good.

They change the email first and then add the new payment method so that the notification goes to the new email. 

"Fairness is giving all people the treatment they earn and deserve. It doesn't mean treating everyone alike-Coach John Wooden"
vladag
Community Manager
Community Manager

Hi Trevor,

 

I'm sorry you're account was compromised and understand your frustration. I see our team helped you regain access to your account and blocked the account as soon as you alerted them.

 

Regarding your tickets, I see you received a reply on the first ticket you submitted on Monday regarding the problem with accessing your account, 2.5 hours after submitting the request. Unfortunately you didn't follow up on our agent's message.

 

Our agent followed up on your second ticket and took action within an hour after the ticket was created, and responded on your ticket an hour afterwards.

 

Please check the security notification our team sent you on September 9. and follow up on your ticket if you have any questions.

Untitled
Anonymous User
Not applicable
This widget could not be displayed.

 
Anonymous User
Not applicable
This widget could not be displayed.


@Vladimir G wrote:

Hi Trevor,

 

I'm sorry you're account was compromised and understand your frustration. I see our team helped you regain access to your account and blocked the account as soon as you alerted them.

 

Regarding your tickets, I see you received a reply on the first ticket you submitted on Monday regarding the problem with accessing your account, 2.5 hours after submitting the request. Unfortunately you didn't follow up on our agent's message.

 

Our agent followed up on your second ticket and took action within an hour after the ticket was created, and responded on your ticket an hour afterwards.

 

Please check the security notification our team sent you on September 9. and follow up on your ticket if you have any questions.


May I add something? I never get an email when I open a ticket with CS and CS responds to me. All communication with CS happens in my account and no email is sent to my external email address. So, when he was not able to log into his account, he could not see the message CS sent to him. Or alternatively, the email was sent to the person who stole the money.

Hi Margarete,

 

The request wasn't submitted from the account and the user should have received the message on the email address they entered in the form. 

Untitled
atifaimran
Member

What is the solution to this issue.

suzedablooze
Member

I am part of a design team that works on consumer identity systems. Some of the fundamentals of such systems, to avoid phishing and the like include:

 

1. Second factor  - although unless implemented correctly this can also be hacked. 

2. Well built and timely communication with clients, such as alerting them to password changes, or even email changes, using an SMS text, for example. Of course SMS texts cost the host company money to send...

3. Robust account recovery systems which, again use out of band methodologies to recover credentials and alert users to credential recovery attempts, even giving the user the IP address used to attempt recover / changes to account credentials

4. Using other risk based authenticaion measures, which are user led, for example, setting of geographic location for access

 

It seems Upwork are lax in some of the above requirements. And when there is money, sometimes large amounts at stake, it isn't really very good. 

Fear of this is why I remove money from my account when its there.

g_holstein
Member

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


@Gerald H wrote:

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


While it may sound like a good idea, it won't prevent this to happen. You'll just be informed early that your money was stolen.

 

The only sound decision is to implement the support of a solution like Google Authenticatior. This has the advantage that nobody can log into your account even if they have your password.

-----------
"Where darkness shines like dazzling light"   —William Ashbless


@Rene K wrote:

@Gerald H wrote:

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


While it may sound like a good idea, it won't prevent this to happen. You'll just be informed early that your money was stolen.

 

The only sound decision is to implement the support of a solution like Google Authenticatior. This has the advantage that nobody can log into your account even if they have your password.


I'm a tech idiot, so apologies if this is a stupid question. How do these hackers obtain passwords and email addresses, even with Upwork's current system? 


@Rene K wrote:

@Gerald H wrote:

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


While it may sound like a good idea, it won't prevent this to happen. You'll just be informed early that your money was stolen.

 

The only sound decision is to implement the support of a solution like Google Authenticatior. This has the advantage that nobody can log into your account even if they have your password.


I won't discuss that obviously improvements need to be made to the authentification. But as change of email is the first step, rejection of this from the old email could trigger an alert to stop further changes to the account, So this might prevent things and it might be easier to implement than the authentification stuff. Just saying: Why not do something which can be done instead of not doing something because it's too complicated or just won't happen or whatever.   

I didn't receive any responses to the support requests I sent initially.

 

I did have a response eventually when the problem was resolved....

 

I would be more interested in pertinent responses to the security issues being raised rather than argue about whether emails were received to be honest...

 

 

Hi Trevor,

 

Could you please check your inbox, spam box and also check your email notification settings?

 

I can't share any details regarding your case in the Community unfortunately but you can follow up with our team on one of your tickets.

 

We've heard the suggestions to add two-step verification and our team is already looking into this. We'll update the Community once we receive feedback from our Product team.

Untitled


@Vladimir G wrote:

 

 

We've heard the suggestions to add two-step verification and our team is already looking into this. We'll update the Community once we receive feedback from our Product team.


 Thanks Vlad. Unfortunately a lot useful of suggestions in the past were made and sent to the team. I can't remember of a single one that was ever implemented. Sorry for my negative mindset...

-----------
"Where darkness shines like dazzling light"   —William Ashbless

I am sorry to hear that the original poster lost $900 when his Upwork account was hacked.

 

This would never happen to me. I always withdraw funds as soon as they become available.

 

There are many good suggestions in this thread. But unfortunately the original poster did something, unintentionally no doubt, that put his account in jeopardy. Active Upwork users with money flowing through their accounts should be vigilant, routinely check their accounts, and use safe computer practices to avoid becoming victims of hackers. This will still be true even if additional security measures are implemented.

It did happen at a very unfortunate time...

 

I had a rule in place where whenever i go over $1000 in a week it automatically pays me... which is almost every week...

 

Unfortunately, that particular week I had taken some time off and not hit the $1000 mark and so the $909 was sitting there waiting to be paid the following week...

 

The hacker got in the week there was a balance... Normally the balance is zero....

 

Trev


@Preston H wrote:

 

 

This would never happen to me.

 

 


This Preston is a bold statement.

 

The hacker who already has your credentials may be lurking and waiting for the right moment. You may take one hour before withdrawing, one of those days it may be enough.

 

Or they may come and change your credentials the very day when your funds exit the security period. They may log in earlier than you, they may count on the fact that from the moment you realize you cannot access your account, to the moment CS freezes it, they may have enough time to steal your last earnings.

 

As long as Upwork doesn't offer a solid 2-steps protection, you can easily be the victim of a hack too.

 

The word never should be used with caution in the context of cybersecurity 

-----------
"Where darkness shines like dazzling light"   —William Ashbless
Anonymous User
Not applicable
This widget could not be displayed.


@Rene K wrote:


This Preston is a bold statement.

 

The hacker who already has your credentials may be lurking and waiting for the right moment. You may take one hour before withdrawing, one of those days it may be enough.

 

Or they may come and change your credentials the very day when your funds exit the security period. They may log in earlier than you, they may count on the fact that from the moment you realize you cannot access your account, to the moment CS freezes it, they may have enough time to steal your last earnings.

 

As long as Upwork doesn't offer a solid 2-steps protection, you can easily be the victim of a hack too.

 

The word never should be used with caution in the context of cybersecurity 


The funds mostly become available when it is night or early morning in Europe. Moreover, I am not sure if the timetracker cannot be abused.

I’m so sorry to hear that Trevor Smiley Sad

Based on the small amount of anecdotal evidence I have seen on the forum:

 

If it is more money than you want to lose, don't leave it in an Upwork account. : ( This is particularly true of non-U.S. accounts which seem to be more often targeted. 

 


@Tonya P wrote:

Based on the small amount of anecdotal evidence I have seen on the forum:

 

If it is more money than you want to lose, don't leave it in an Upwork account. : ( This is particularly true of non-U.S. accounts which seem to be more often targeted. 

 


This is a very good advice.

 

However, this is not a solution to the problem, merely a patch on the hole. If you don't have a lock on your door, you definitely should bring your money to the bank as soon as possible, in order to avoid it to be stolen when burglars enter your house.

 

A wise solution would be to put a solid lock to avoid burglars o enter. Not to find a workaround to mitigate the effects of burglaries.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

I've read similar recent threads where some freelancers claim that an account being hacked is not Upwork's fault despite the fact that not all security measures are being implemented. I don't think this is acceptable. But the rethoric is changing... At least in this thread we were offered the prospect of a solution.

Oh, I totally agree, Rene. But I am not hopeful of seeing a solution anytime soon. There are many very well known scams, tricks and thefts that could be easily avoided. There are many simple ways that new freelancers could be warned. However, implementing them seem to be a priority for Upwork.

 

I am amazed that some enterprising attorney hasn't filed a class action suit because of all the problems that Upwork ignores. At some point, ignoring known issues becomes willful negligence, IMO. 

Anonymous User
Not applicable
This widget could not be displayed.


@Tonya P wrote:

Oh, I totally agree, Rene. But I am not hopeful of seeing a solution anytime soon. There are many very well known scams, tricks and thefts that could be easily avoided. There are many simple ways that new freelancers could be warned. However, implementing them seem to be a priority for Upwork.

 

I am amazed that some enterprising attorney hasn't filed a class action suit because of all the problems that Upwork ignores. At some point, ignoring known issues becomes willful negligence, IMO. 


Somebody has to pay for this and each case has also be reported to the police. Several people reported here that their account was compromised and their money was stolen, but they never come back and tell us, if their money was refunded. At least I can't remember this. 

I changed my address in August, and received notices at both the old and new address. The one to the old address instructed me to contact Support immediately if I had not authorized the change.

 

[edited to add:] Should a positive opt-in/confirmation from the old address message be required?


@Douglas Michael M wrote:

I changed my address in August, and received notices at both the old and new address. The one to the old address instructed me to contact Support immediately if I had not authorized the change.


That's what I thought. 😉 Thank you for confirming.

 

 

Making good progress tracking the little **** that stole my money..

 

I have decompiled his trojan.

 

Found the entry point!

 

It's not packed or crypted!

 

It's quite simplistic... No static imports... No library calls... it's all self contained....

 

Tonight I will pull it apart even more and track it back to his server and see where that leads me 🙂

 

Wish me luck!

 

 

14454018_10153833291207411_1073321351_o.jpg

Anonymous User
Not applicable
This widget could not be displayed.


@Trevor D wrote:

Making good progress tracking the little **** that stole my money..

 

I have decompiled his trojan.

 

Found the entry point!

 

It's not packed or crypted!

 

It's quite simplistic... No static imports... No library calls... it's all self contained....

 

Tonight I will pull it apart even more and track it back to his server and see where that leads me 🙂

 

Wish me luck!

 

 

14454018_10153833291207411_1073321351_o.jpg


Trevor, I wish you luck, but would like to ask if you have any idea how the trojan could enter your PC? A few weeks ago a "client" sent an invitation to me and attached to the job offer an excel file that was identified by my virus scanner as dangerous, maybe a macro or trojan, I am not sure. Besides that I get numerous emails for weeks that only intend to steal my personal data. A lot of them are related to "great" job offers. Coincidence?

eu.There's a simple solution to this-never leave any funds in your account with upwork

" The bond with a true dog is as lasting as the ties of this earth will ever be "