In the past month or so, I’ve received a number of spam messages from people with whom I’ve had previous email correspondence. (I noticed these because Gmail is less likely to mark messages as spam when they come from someone with whom I’ve already exchanged email.) What’s unusual is that these spam messages were not spoofed to appear as though they came from my acquaintances; the messages actually did originate from the listed accounts and were sent to people in those accounts’ address books.
Tracing backwards through the Received headers in each of the messages reveals that this is indeed the case; messages that purport to have come from a user’s Gmail account really did originate from within Gmail. I’ve seen several of these spam messages from Gmail accounts, several from AOL accounts, and a few from an MSN account. Most of the ones I saw were simple links to pharmaceutical sites. Also common is a particular type of spam sent from a friend’s account asking for immediate financial help after a wallet theft while travelling in London – though poorly written, it’s just believable enough to fool some people.
The Received headers, along with the fact that the To lines contain alphabetized addresses that come from someone’s address book, indicate to me that the accounts in question have been hacked in some way, that the bad guys are actually logging in to the victims’ accounts and sending mail. Plus, although I haven’t received any of this sort of spam from any MobileMe or Yahoo Mail subscribers personally, I know people who have experienced their MobileMe and Yahoo accounts being hacked and used to send spam.
Most importantly, if you use one of the major email services with a Web-based client (Gmail, MobileMe, AOL, MSN, Hotmail, Yahoo Mail, etc.), change the account’s password immediately. That may not be sufficient, depending on how the accounts are being hacked, but it’s worth doing.
When you change the password, make sure it’s a strong one that includes letters, numbers, and punctuation if possible (not all sites allow punctuation). To see if a password is strong, open Apple’s Keychain Access application from your Utilities folder, choose File > New Password Item, and watch the strength indicator as you type your password. If you can’t think of a good password, click the key button to open the Password Assistant, which will create strong passwords for you. For much more information about passwords, read Joe Kissell’s “Take Control of Passwords in Mac OS X, Second Edition.”
Don’t use the same password on multiple large sites that contain personal information. If a spammer were able to come by your information in a large number of Facebook usernames and passwords, for instance, you wouldn’t want them to use that information to compromise your accounts at Gmail, Amazon.com, and Citibank. (Facebook hacking is believed to be one of the ways email account passwords were acquired.) For the ultimate in security, though it increases your reliance on a single program, try a utility like 1Password that can create individualized strong passwords for every site you access, and then enter them for you (since you’ll stand no chance of remembering any of them).
Remember that certain passwords, like those for Gmail, Twitter, and Facebook, are used by ancillary Web services like dlvr.it, Mac programs like TweetDeck, and iOS apps like Twitterrific. Once you change the main password, certain things may break until you update the password everywhere else too.
Whenever possible, and particularly when you’re accessing the Internet via a Wi-Fi hotspot or other public connection, use secure connections (or a VPN!) if possible (look for https in the address field). If you’re using Firefox, try the EFF’s new HTTPS Everywhere extension (see “HTTPS Everywhere Enables Easy Encryption,” 18 June 2010). For more details and real-world advice about securing connections, see “Take Control of Your Wi-Fi Security,” which I co-authored with Glenn Fleishman.
If your email provider allows forwarding of mail to another account, check those settings! Scan your filters as well, if they could be used to forward mail automatically too. The London scammers rely on email forwarding so they can remain undetected even if you continue to use your account. More generally, although it seems unlikely, a bad guy could use forwarding to siphon copies of all your messages to another account for scanning. In one case of a MobileMe account being hacked, the scammers were not only forwarding email from it, but had also changed the password and all the security questions.
Be careful what you put in email – random bad guys aren’t likely to do anything with information about your life, but passwords, bank account numbers, credit card numbers, and the like could be extracted automatically.
Prepare for the possibility that your account could be hacked by figuring out ahead of time who you can contact and how to respond. For instance, if you use Gmail, pre-configure a mobile phone number at which you can receive a verification text message to re-enable a temporarily disabled account (more on why that might happen shortly). And if you use MobileMe, note that although there’s no phone support, there is live chat support.
Use Apple Mail or another POP or IMAP client, if possible, to keep a local copy of all your mail. If someone can send spam from your account, they could also delete all your stored mail, though vandalism is the only reason to do that. If you’re saving a local copy via IMAP, back up that local IMAP store, since an IMAP client would likely delete its archive if all the remote messages were deleted.
Escalating Warfare and Collateral Damage — I now believe that at least Google is increasing security based on these events. Within the last two weeks, a number of people, including Tonya and me, have had their Gmail accounts disabled temporarily by Google. We were each able to reactivate our accounts by receiving a verification code on our iPhones, entering it in Gmail, and then changing the passwords.
Working on a tip from a friend who had this happen to him as well, I went back through the email I’d sent in the previous 24 hours and found one message that Google could easily have seen as spammy – it was a single line of text followed by a URL and was sent to three recipients.
I assume that Google monitors outgoing mail for spam-like behavior, so if they had ratcheted up the sensitivity on that monitoring code to detect account hacking more quickly, that could explain why my account was disabled temporarily. (I have no evidence to indicate that my account was compromised or my password stolen.)
These sorts of problems are less likely to occur to smaller ISPs and email providers that aren’t large targets like Apple, Google, Yahoo, and Microsoft. And if problems do occur, smaller companies are more likely to provide human support, which can be extremely comforting when an account has been compromised or disabled. Of course, the large email services offer many advantages too – life is full of tradeoffs.
A good deal of what I’ve said here is based on observation and conjecture, of course, but regardless, it’s a good idea to change your passwords every so often. And if you have suffered from having your account hacked and know how it happened, please share your experiences in the comments!