Over the past week, I have been receiving pharma spam from friends' email accounts. It was obvious that their email accounts were compromised and used to relay spam.
One had a Hotmail account and another a Yahoo account. I’m not sure whether they should be mocked more for using accounts at those domains or for getting compromised.
Restoring Access
If this happens to you and you’re really fortunate, you’ll be able to log into your webmail account, change your passwords, and change the security questions used to reset the password.
If you can’t gain access because the bad guy changed the passwords, try using the lost password button. If you can’t reclaim your account that way, you’re going to have to contact the Google/Hotmail/Yahoo, whoever the website owner is. Good luck with that.
Cleaning Up
Review all your settings. In Google Mail check your Filters and your mail forwarding. Mail from your bank could now be forwarded to the bad guy.
Maybe its paranoia talking but I would search my mailbox for “password” to see if any other accounts might have been learned by the bad guy because a plain text password was available in your inbox.
Prevention
People always want to know how this happened to them. Often they jump first to blaming their webmail provider. While that’s possible, it’s not something you can really control. It’s better to start looking at simpler explanations that you can do something about.
Was your computer hacked? Did a keystroke logger gather your webmail credentials? That is certainly possible. And it doesn’t hurt to check out the computer. I would have to wonder why the spammer would gain your credentials and then use another computer to send the spam. Some webmail providers give full mail headers including the PC used to send the email. For the spam I received I could see it wasn’t the same country as the sender.
Were you phished or tab napped. Attackers manipulate victims into providing valid authentication credentials at fake sites. The best defense to this is to use bookmarks to avoid typos, and go directly to https sites where possible.
Did you use the account from an insecure computer or network. It’s so tempting to hop on an open access point at the coffee shop. It’s tempting to use the ‘guest kiosk’ at the hotel while on vacation. You don’t know the hygiene of that computer. You don’t know who is snooping on that coffee bar network.
Is your password really weak? I don’t think webmail providers would allow a lengthy bruteforce attack without locking out the account. But if your password is incredibly bad, this could still be a cause.
Was your password used on another service? While blaming the host isn’t my first thought, hosts do get compromised every now and again. There ae multiple account/password lists available from server compromises. If you’ve been on a system that was compromised and their password list stolen, if you reuse the same credentials than you have a problem.
Unfortunately the causes for account compromise aren’t any clearer than the ways to get your mailbox back. Hopefully this gives some food for thought.
netizens left a footprint.