On June 17, 2015 circa 11:48am ET I received a very nice voicemail:
“Hi, this is Tim from Google AdWords. It looks like you have set up a new account … We typically set up like a 30-minute consultation to talk about the account, make sure you have your goals … etc.”
Awesome! Except I didn’t set up a new Google AdWords account.
At 2:46pm ET the very same day a robot, calling itself Ariel, left a voicemail offering the same free consultation. (BTW, robocalls suck! If this article were not about getting hacked, I’d be ranting about robocalls!)
A normal person would probably have called Google back immediately, but I was traveling abroad, so I shot a quick note to the staffer I thought might have set it up and asked what it was for. After several “I don’t see any new AdWords accounts” and “Are you sure one of the summer interns didn’t do it?” and “Well, if you didn’t do it, who did?” conversations, and after checking all of our billing accounts, we just let it go. Clearly Google was mistaken – we didn’t have anything new or unusual running and no one on our staff would have used my credentials to open a new Google AdWords account. Or so we thought.
Fast-forward to July 10, 2015. I got an email from Google AdWords to my private email account thanking me for my payment.
Payment? What payment? This is my personal, private email account; it’s not tied to Google AdWords or anything else for that matter. Had I been hacked?
I didn’t recognize the Google AdWords account number or billing ID and I was very confused about how this email address could be associated with a business transaction.
Before I go on with the story, I want to commend Google for (1) having a phone number to call and (2) having knowledgeable customer service representatives who are capable of thinking for themselves. I spent 20 minutes on the phone with a remarkably patient, thoughtful gentleman at Google who answered both hard questions and, in my case, some pretty stupid ones. Whatever they pay him, it’s not enough!
It turns out that someone set up a new Google AdWords account using a woman’s name and address from East Stroudsburg, PA, a nonworking internal phone number from some random company, an American Express card ending in 1008 and my email address.
I’m not sure how this was accomplished or what was accomplished. Only my email information was used. Not my address, not my phone number, not my credit card (or was it?). Did they have my email password? I logged in with no effort, and clearly they did too – but to what end?
The “hacker” set up Ad Group #1 with this ad.
The improperly worded ad links to a totally obscure website ranked 14,983,965th on Alexa. There is no obvious benefit here.
The Plot Thickens
Google’s customer service confirmed that an American Express card ending in 1008 was charged as the email indicated. We also confirmed that Google had suspended the AdWords campaign for noncompliance (although he would not tell me exactly why). He also confirmed that only one charge was made and it was for $24.86. He also confirmed that if it really wasn’t me (which he assumed was true, but someone on the fraud team would have to review and confirm), I would be entitled to a refund. All good … maybe?
American Express
My next call was to Amex to ask about a card ending in 1008. That’s not a last four digits I recognized, but I just wanted to understand what happened. Perhaps this was an old card number or an expired or replaced card that was still being honored on my current account?
It took Amex Platinum customer service about three seconds to assure me that there were no charges from Google, flag my account and assure me that (as suspected) a card ending in 1008 was not associated with my account in any way and I was not to worry about it.
So What Happened?
Did someone hack me? Hack Google? Hack that woman in Pennsylvania? Hack the person whose Amex card ends in 1008?
I changed my password (which is all I could do), and I’m waiting for the Google team to explain this to me. Clearly Google ran a few ads from a fraudulent account, but who was hacked? Was this a test to see if a certain vulnerability at Google could be exploited? Is this a precursor to a big money attack? Is it just a mischievous kid flexing his nascent hacker muscles? Is it the Chinese Government getting ready to crush Google?
Unless I received the email from Google confirming a payment I didn’t make for an account I didn’t open, I never would have known about any of this. To tell you the truth, I still don’t know what happened – do you?