cancel
Showing results for 
Search instead for 
Did you mean: 

Account Hacked - Money Stolen

trevordaniel2
Active Member

Hello,

 

I would like to share my recent experience and hopefuly get some views on how it happened.

 

So, here's the story...

 

It first showed up when I could not log into the Upwork wesbite. It kept telling me that either my username or password was incorrect.

 

I then attempted to get a password reminder and it tells me that my username was not found.

 

I then attempted to log a problem but could no because i wasn't able to log in....

 

I then contacted Upwork view the "anonymous" contact system. I wrote a detail explanation and sent it off...

 

I had no confirmation of the problem being recieved or acknowledged.

 

The next day I attempted to open another "anonymous" ticket... again it was sent and I received no acknowedgement or response.

 

I then decided to tweet to @UpworkHelp... with no response for 8 hours....

 

I then decided to phone Upwork in Los Angeles from here in the UK....

 

So, this is where it all gets scary....

 

The lady i spoke to at Upwork tried to confirm my email address and said that it was incorrect.... She asked some other identification questions and was happy i was genuine...

 

So, somebody had gained access to my account and changed the email address..

 

I received NO notification from upwork saying my email had changed....

 

It was decided at this point that my account had been hacked and it was escalated to the Account Security team...

 

I was then contacted by a very helpful chap from the Account Security team and he informed me that an addition payment method had been added to my account and $909 taken.

 

I had no notification from Upwork that the additional payment method had been added.

 

I had no notification that a withdrawal had been made..

 

I have no idea how they managed to add another payment method without knowing the answer to my "secret question"....

 

I am completely confused how this has manage to happen and quite annoyed to lose $900!

 

I am also very worried that it might be possible for this to happen again!

 

How did this manage to happen without me knowing anything about it????

 

Can anyone suggest how this hacked managed to do it?

 

Trev

46 REPLIES 46

@Rene K wrote:

@Gerald H wrote:

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


While it may sound like a good idea, it won't prevent this to happen. You'll just be informed early that your money was stolen.

 

The only sound decision is to implement the support of a solution like Google Authenticatior. This has the advantage that nobody can log into your account even if they have your password.


I won't discuss that obviously improvements need to be made to the authentification. But as change of email is the first step, rejection of this from the old email could trigger an alert to stop further changes to the account, So this might prevent things and it might be easier to implement than the authentification stuff. Just saying: Why not do something which can be done instead of not doing something because it's too complicated or just won't happen or whatever.   

I didn't receive any responses to the support requests I sent initially.

 

I did have a response eventually when the problem was resolved....

 

I would be more interested in pertinent responses to the security issues being raised rather than argue about whether emails were received to be honest...

 

 

Hi Trevor,

 

Could you please check your inbox, spam box and also check your email notification settings?

 

I can't share any details regarding your case in the Community unfortunately but you can follow up with our team on one of your tickets.

 

We've heard the suggestions to add two-step verification and our team is already looking into this. We'll update the Community once we receive feedback from our Product team.

Untitled

@Vladimir G wrote:

 

 

We've heard the suggestions to add two-step verification and our team is already looking into this. We'll update the Community once we receive feedback from our Product team.


 Thanks Vlad. Unfortunately a lot useful of suggestions in the past were made and sent to the team. I can't remember of a single one that was ever implemented. Sorry for my negative mindset...

-----------
"Where darkness shines like dazzling light"   —William Ashbless

I am sorry to hear that the original poster lost $900 when his Upwork account was hacked.

 

This would never happen to me. I always withdraw funds as soon as they become available.

 

There are many good suggestions in this thread. But unfortunately the original poster did something, unintentionally no doubt, that put his account in jeopardy. Active Upwork users with money flowing through their accounts should be vigilant, routinely check their accounts, and use safe computer practices to avoid becoming victims of hackers. This will still be true even if additional security measures are implemented.

It did happen at a very unfortunate time...

 

I had a rule in place where whenever i go over $1000 in a week it automatically pays me... which is almost every week...

 

Unfortunately, that particular week I had taken some time off and not hit the $1000 mark and so the $909 was sitting there waiting to be paid the following week...

 

The hacker got in the week there was a balance... Normally the balance is zero....

 

Trev


@Preston H wrote:

 

 

This would never happen to me.

 

 


This Preston is a bold statement.

 

The hacker who already has your credentials may be lurking and waiting for the right moment. You may take one hour before withdrawing, one of those days it may be enough.

 

Or they may come and change your credentials the very day when your funds exit the security period. They may log in earlier than you, they may count on the fact that from the moment you realize you cannot access your account, to the moment CS freezes it, they may have enough time to steal your last earnings.

 

As long as Upwork doesn't offer a solid 2-steps protection, you can easily be the victim of a hack too.

 

The word never should be used with caution in the context of cybersecurity 

-----------
"Where darkness shines like dazzling light"   —William Ashbless
Anonymous User
Not applicable
This widget could not be displayed.

@Rene K wrote:


This Preston is a bold statement.

 

The hacker who already has your credentials may be lurking and waiting for the right moment. You may take one hour before withdrawing, one of those days it may be enough.

 

Or they may come and change your credentials the very day when your funds exit the security period. They may log in earlier than you, they may count on the fact that from the moment you realize you cannot access your account, to the moment CS freezes it, they may have enough time to steal your last earnings.

 

As long as Upwork doesn't offer a solid 2-steps protection, you can easily be the victim of a hack too.

 

The word never should be used with caution in the context of cybersecurity 


The funds mostly become available when it is night or early morning in Europe. Moreover, I am not sure if the timetracker cannot be abused.

shehanfernando
Community Guru

I’m so sorry to hear that Trevor Smiley Sad

Based on the small amount of anecdotal evidence I have seen on the forum:

 

If it is more money than you want to lose, don't leave it in an Upwork account. : ( This is particularly true of non-U.S. accounts which seem to be more often targeted. 

 


@Tonya P wrote:

Based on the small amount of anecdotal evidence I have seen on the forum:

 

If it is more money than you want to lose, don't leave it in an Upwork account. : ( This is particularly true of non-U.S. accounts which seem to be more often targeted. 

 


This is a very good advice.

 

However, this is not a solution to the problem, merely a patch on the hole. If you don't have a lock on your door, you definitely should bring your money to the bank as soon as possible, in order to avoid it to be stolen when burglars enter your house.

 

A wise solution would be to put a solid lock to avoid burglars o enter. Not to find a workaround to mitigate the effects of burglaries.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

I've read similar recent threads where some freelancers claim that an account being hacked is not Upwork's fault despite the fact that not all security measures are being implemented. I don't think this is acceptable. But the rethoric is changing... At least in this thread we were offered the prospect of a solution.

Oh, I totally agree, Rene. But I am not hopeful of seeing a solution anytime soon. There are many very well known scams, tricks and thefts that could be easily avoided. There are many simple ways that new freelancers could be warned. However, implementing them seem to be a priority for Upwork.

 

I am amazed that some enterprising attorney hasn't filed a class action suit because of all the problems that Upwork ignores. At some point, ignoring known issues becomes willful negligence, IMO. 

Anonymous User
Not applicable
This widget could not be displayed.

@Tonya P wrote:

Oh, I totally agree, Rene. But I am not hopeful of seeing a solution anytime soon. There are many very well known scams, tricks and thefts that could be easily avoided. There are many simple ways that new freelancers could be warned. However, implementing them seem to be a priority for Upwork.

 

I am amazed that some enterprising attorney hasn't filed a class action suit because of all the problems that Upwork ignores. At some point, ignoring known issues becomes willful negligence, IMO. 


Somebody has to pay for this and each case has also be reported to the police. Several people reported here that their account was compromised and their money was stolen, but they never come back and tell us, if their money was refunded. At least I can't remember this. 

researchediting
Community Guru

I changed my address in August, and received notices at both the old and new address. The one to the old address instructed me to contact Support immediately if I had not authorized the change.

 

[edited to add:] Should a positive opt-in/confirmation from the old address message be required?


@Douglas Michael M wrote:

I changed my address in August, and received notices at both the old and new address. The one to the old address instructed me to contact Support immediately if I had not authorized the change.


That's what I thought. 😉 Thank you for confirming.

 

 

Making good progress tracking the little **** that stole my money..

 

I have decompiled his trojan.

 

Found the entry point!

 

It's not packed or crypted!

 

It's quite simplistic... No static imports... No library calls... it's all self contained....

 

Tonight I will pull it apart even more and track it back to his server and see where that leads me 🙂

 

Wish me luck!

 

 

14454018_10153833291207411_1073321351_o.jpg

Anonymous User
Not applicable
This widget could not be displayed.

@Trevor D wrote:

Making good progress tracking the little **** that stole my money..

 

I have decompiled his trojan.

 

Found the entry point!

 

It's not packed or crypted!

 

It's quite simplistic... No static imports... No library calls... it's all self contained....

 

Tonight I will pull it apart even more and track it back to his server and see where that leads me 🙂

 

Wish me luck!

 

 

14454018_10153833291207411_1073321351_o.jpg


Trevor, I wish you luck, but would like to ask if you have any idea how the trojan could enter your PC? A few weeks ago a "client" sent an invitation to me and attached to the job offer an excel file that was identified by my virus scanner as dangerous, maybe a macro or trojan, I am not sure. Besides that I get numerous emails for weeks that only intend to steal my personal data. A lot of them are related to "great" job offers. Coincidence?

eu.There's a simple solution to this-never leave any funds in your account with upwork

" The bond with a true dog is as lasting as the ties of this earth will ever be "
Anonymous User
Not applicable
This widget could not be displayed.

@Jutta B wrote:

eu.There's a simple solution to this-never leave any funds in your account with upwork


That is not the solution of the problem itself. Moreover, the funds are mostly released when it is night in Europe. The scammer could have programmed something that he will have access to the money earlier than the freelancer.


@Trevor D wrote:

Making good progress tracking the little **** that stole my money..

 

I have decompiled his trojan.


A Trojan horse, huh?

 

Means there is a truckload of people infected. Probably developers like you who opened an attachment in a job post.

 

Nah Upwork, it's OK, no need for 2-steps auth. 

-----------
"Where darkness shines like dazzling light"   —William Ashbless
TOP SOLUTION AUTHORS
TOP KUDOED MEMBERS