Yes, My Email Account Was Compromised
Written by Jeff Orloff on December 21, 2011
This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.
I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.
I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:
- I use strong passwords and phrases
- I change my passwords frequently
- I don’t use the same password over and over
- I update my anti-malware software regularly
- I run anti-malware scans regularly (ironically, I had just run a scan the day before)
- I am careful about what sites I visit
- I am careful about clicking links in emails
- I am careful about what I download, even checking the MD5 hashes when available.
However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.
Steps taken
When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.
At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.
However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:
A) My email address had not been spoofed.
B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.
It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.
Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.
Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.
The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.
Digging deeper
Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.
To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.
Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.
After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.
Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.
Posted in email security, security | 3 Comments »
December 23rd, 2011 at 5:14 am
Like you said, nobody’s ever 100% secure, and even the tightest defenses can be slipped past, however infrequently. In a way, it can be a good exercise to figure out where you can up your security and your plan for diagnosis and removal. Here’s hoping you didn’t wind up on any blacklists.
December 25th, 2011 at 11:45 pm
These days, it’s really important to be cautious when someone sends you an email with suspicious URLs or links. Even if it’s from someone you know (from your friends, loved ones, co-workers, even your boss). Typically, inactive email accounts are the main medium.
Usually, this type of email message has no personal touch. The email will just contain one or two links. The sender will ask you to click the supposed to be valid URL in order to view his or her complete message to you.
If you really need to check or open the link, ask the sender first. This way, you can be sure.
January 5th, 2012 at 2:02 pm
There will come a time when email, aside from requiring a strong password, will also need to have a PIN code much more like ATMs do. Although it will be a hassle on the user’s part, it will keep our email accounts safer and hack-free.
Some web host providers are now slowly implementing the PIN code system. I just received an email from my provider and it required me to have a PIN. Now, when I’ll log in to my web host account, three things are needed in order to gain access: my username, password, and the PIN code.