Change Your Passwords: Email Account Hacking on the Rise
In the past month or so, I’ve received a number of spam messages from people with whom I’ve had previous email correspondence. (I noticed these because Gmail is less likely to mark messages as spam when they come from someone with whom I’ve already exchanged email.) What’s unusual is that these spam messages were not spoofed to appear as though they came from my acquaintances; the messages actually did originate from the listed accounts and were sent to people in those accounts’ address books.
Tracing backwards through the Received headers in each of the messages reveals that this is indeed the case; messages that purport to have come from a user’s Gmail account really did originate from within Gmail. I’ve seen several of these spam messages from Gmail accounts, several from AOL accounts, and a few from an MSN account. Most of the ones I saw were simple links to pharmaceutical sites. Also common is a particular type of spam sent from a friend’s account asking for immediate financial help after a wallet theft while travelling in London – though poorly written, it’s just believable enough to fool some people.
The Received headers, along with the fact that the To lines contain alphabetized addresses that come from someone’s address book, indicate to me that the accounts in question have been hacked in some way, that the bad guys are actually logging in to the victims’ accounts and sending mail. Plus, although I haven’t received any of this sort of spam from any MobileMe or Yahoo Mail subscribers personally, I know people who have experienced their MobileMe and Yahoo accounts being hacked and used to send spam.
What You Can Do — To reduce the likelihood of this happening, or the damage if it does, here are a few suggestions.
Most importantly, if you use one of the major email services with a Web-based client (Gmail, MobileMe, AOL, MSN, Hotmail, Yahoo Mail, etc.), change the account’s password immediately. That may not be sufficient, depending on how the accounts are being hacked, but it’s worth doing.
When you change the password, make sure it’s a strong one that includes letters, numbers, and punctuation if possible (not all sites allow punctuation). To see if a password is strong, open Apple’s Keychain Access application from your Utilities folder, choose File > New Password Item, and watch the strength indicator as you type your password. If you can’t think of a good password, click the key button to open the Password Assistant, which will create strong passwords for you. For much more information about passwords, read Joe Kissell’s “Take Control of Passwords in Mac OS X, Second Edition.”
Don’t use the same password on multiple large sites that contain personal information. If a spammer were able to come by your information in a large number of Facebook usernames and passwords, for instance, you wouldn’t want them to use that information to compromise your accounts at Gmail, Amazon.com, and Citibank. (Facebook hacking is believed to be one of the ways email account passwords were acquired.) For the ultimate in security, though it increases your reliance on a single program, try a utility like 1Password that can create individualized strong passwords for every site you access, and then enter them for you (since you’ll stand no chance of remembering any of
Remember that certain passwords, like those for Gmail, Twitter, and Facebook, are used by ancillary Web services like dlvr.it, Mac programs like TweetDeck, and iOS apps like Twitterrific. Once you change the main password, certain things may break until you update the password everywhere else too.
Whenever possible, and particularly when you’re accessing the Internet via a Wi-Fi hotspot or other public connection, use secure connections (or a VPN!) if possible (look for https in the address field). If you’re using Firefox, try the EFF’s new HTTPS Everywhere extension (see “HTTPS Everywhere Enables Easy Encryption,” 18 June 2010). For more details and real-world advice about securing connections, see “Take Control of Your Wi-Fi Security,” which I co-authored with Glenn Fleishman.
If your email provider allows forwarding of mail to another account, check those settings! Scan your filters as well, if they could be used to forward mail automatically too. The London scammers rely on email forwarding so they can remain undetected even if you continue to use your account. More generally, although it seems unlikely, a bad guy could use forwarding to siphon copies of all your messages to another account for scanning. In one case of a MobileMe account being hacked, the scammers were not only forwarding email from it, but had also changed the password and all the security questions.
Be careful what you put in email – random bad guys aren’t likely to do anything with information about your life, but passwords, bank account numbers, credit card numbers, and the like could be extracted automatically.
Prepare for the possibility that your account could be hacked by figuring out ahead of time who you can contact and how to respond. For instance, if you use Gmail, pre-configure a mobile phone number at which you can receive a verification text message to re-enable a temporarily disabled account (more on why that might happen shortly). And if you use MobileMe, note that although there’s no phone support, there is live chat support.
Use Apple Mail or another POP or IMAP client, if possible, to keep a local copy of all your mail. If someone can send spam from your account, they could also delete all your stored mail, though vandalism is the only reason to do that. If you’re saving a local copy via IMAP, back up that local IMAP store, since an IMAP client would likely delete its archive if all the remote messages were deleted.
Escalating Warfare and Collateral Damage — I now believe that at least Google is increasing security based on these events. Within the last two weeks, a number of people, including Tonya and me, have had their Gmail accounts disabled temporarily by Google. We were each able to reactivate our accounts by receiving a verification code on our iPhones, entering it in Gmail, and then changing the passwords.
Working on a tip from a friend who had this happen to him as well, I went back through the email I’d sent in the previous 24 hours and found one message that Google could easily have seen as spammy – it was a single line of text followed by a URL and was sent to three recipients.
I assume that Google monitors outgoing mail for spam-like behavior, so if they had ratcheted up the sensitivity on that monitoring code to detect account hacking more quickly, that could explain why my account was disabled temporarily. (I have no evidence to indicate that my account was compromised or my password stolen.)
These sorts of problems are less likely to occur to smaller ISPs and email providers that aren’t large targets like Apple, Google, Yahoo, and Microsoft. And if problems do occur, smaller companies are more likely to provide human support, which can be extremely comforting when an account has been compromised or disabled. Of course, the large email services offer many advantages too – life is full of tradeoffs.
A good deal of what I’ve said here is based on observation and conjecture, of course, but regardless, it’s a good idea to change your passwords every so often. And if you have suffered from having your account hacked and know how it happened, please share your experiences in the comments!
It's also useful to lie in your answers to the "security questions". (You may not be able to lie to a bank's site about mother's maiden name, since the bank has that.)
Sarah Palin likely wishes she had done that on Yahoo.
I sometimes contemplate lying, but then worry about remembering my lies!
I use strong random generated passwords for security question answers when possible and store them in an encrypted password application.
The Gmail SMS reset option means that if you lose your phone you may lose control of Gmail. An iPhone, for example, will let someone know your gmail username, then all they need to do is reset the pw.
I've looked into this and while it is possible, it's not a significant source of hacked accounts. It's good to use the passcode lock on the iPhone if it's at all likely that it will be lost or stolen, and if it is lost or stolen, it would be a good idea to log into your Gmail account and change both your password and the SMS verification number.
Just ran across this story about how spammers hijacked a Gmail account, lending credence to my suggestion that you not send things like passwords in email.
very timely advice - just wish you had published this last week because my gmail was hacked to send out 'pharmaceutical spam' just a few days ago. I had to do the 'receive code via sms' to unlock my account - now I am changing all my passwords on external sites to "strong". a lot of bank sites have "double" authentication so it is much harder to get hacked (thank goodness for that!), but one needs to be careful and have "strong" passwords anyway.
See also my TidBITS article on Clipperz. All my passwords are different for every site, they are all randomly generated, and I don't know any of them. What I know is my Clipperz passphrase, which is long and unguessable. This approach is more work, but it's worth it.
I had my Gmail account hacked a few weeks ago and all my contacts received the London scam email. It took me a week to convince Google it was my account. I at least had fun with the hacker. My experience and thoughts are here: http://mygoogleaccountwashacked.blogspot.com
Holy cow, that's some story.
I'm feeling better about having all my mail forwarded to Google from an account on a machine I control. That way, should worst come to worst, I'd just turn off the forwarding and pick up mail locally.
The longevity of the Spanish Prisoner scam is amazing. (Currently the no money in London variant.)
It goes back to the 1600s (although Wikipedia currently only claims 1800s).
it may not require "hacking into" the user's Gmail account to send messages like this -- it's possible there's a cross-site scripting, cross-tab scripting, or clickjacking type vulnerability that is causing this; if so, it won't be thwarted by changing passwords
Possible, but unlikely, since the same spam is being sent from multiple email services.
Here's another story about an encounter with "The Predicament". The hacker gets around.
I"ve talked to four people whose Yahoo and AOL accounts were broken into in the past two weeks to see if they had something in common. Most never joined a public wireless network and all had strong passwords already. I couldn't find any pattern in their use of Internet access.
My hypothesis is that they registered at some sleazy site and used the same username and password as their email account. The site owner could then capture their credentials and hack into their accounts.
The Facebook hypothesis, as Adam mentions, seems like another likely source of passwords. I'll find out if the four folks use the same passwords as their email accounts.
FYI one of the Yahoo spam messages I received originated in Brazil while another came from the US.
The magic word I've been hearing is "aggregation." That is, there are bad guys who collect usernames and passwords, and then sell them to others. So a aggregator may use a variety of techniques to assemble a master database to resell, making it hard to identify any one approach.
A new twist on the London Scam.
The scam artist not only used this man's password but used information included in his automatic signature to try to fool people. Also this message only implies the need for help and does not ask for money directly. Here is the message with the names changed. My gmail was also hacked 9 days ago with the drugstore
Subject: My Predicament!!!
I'm writing this with tears in my eyes, Sue and I came down here to London,England from Germany for a short vacation, unfortunately we were mugged at the park of the hotel where we stayed all cash,credit card and cell were stolen off us but luckily for us we still have our passports with us.
We've been to the embassy and the Police here but they're not helping issues at all and our flight leaves in less than 7hrs from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills.
Am freaked out at the moment.
Jo & Sue Smith
------ Missionaries to Germany
I had my gmail account hacked into last week just like Adam described. There was one attempt to send some pharmaceutical spam and it was stopped by google and then they closed my account down. I don't have a facebook account and I actually rarely use my gmail account. The fact that this has happened to so many people at once makes me wonder if there was systematic hacking of google that they haven't told us about.
It's definitely not just Google, but it interesting that your account is little used. Did it - at the time - use the same password as another site that could have been hacked as well?
I had my gmail account disabled temporarily last week. I had a friend staying with me who accessed her gmail account from my computer using Safari and when she was finished she signed out.
I logged into my gmail account again and found it was disabled. I verified with a code creating a new password.
I thought it had something to do with that. Hmmm.