Things you don't care about
This week my girlfriend's Hotmail account was compromised and everyone on her contact list sent a spam email. Naturally, this is a very upsetting and embarrassing experience. Every contact - friends, relatives, past employers and ex-boyfriends - G had emailed in the last how ever many years received an email, purportedly from her, about some foreign trading online company.
Despite my assurances that no one should ever trust what appears in the "From" line, and that billions of these sorts of emails are sent every day, there are still plenty of her contacts on the receiving end that do not have spam filters finely tuned to a several hundred per day email influx. This is evidenced by the numerous replies she received, which despite intentions, no doubt compounded the embarrassment.
The challenge I see, is how best us very computer literate folk can broach the subject of computer security to those we care about, without alienating them. I remember when G first sent me an email from her Hotmail account to my work address recently. I sighed because I knew was going to start getting spam to an account where I can't control the filtering, but certainly wasn't about to blame her for doing so. The only thing worse than being criticised for doing something you thought was a nice gesture would be not understanding why it's a problem in the first place. And prior to this event it would have been very hard for her to see that there's a problem at all.
In the short term, G has changed her account password, made sure her vacation message (aka autoresponder) is disabled, and I convinced her to empty her online contact book. From my reading, there's little she could have done to prevent this particular attack, which is a hopeless feeling. The advice I would like to give is that if you absolutely must use Hotmail (and I'd suggest that setting up a forwarding address would negate most reasons to keep a Hotmail address) that you only use the web interface to check emails that haven't been downloaded and other odd jobs. Everything else should be done through a home computer email client where you can control the security. Even in light of this incident, how do you convince someone that what they've always done, what is so easy and what "everyone else" does, is not a good idea? Worse, how do you phrase it in a way that won't seem like complicated, insurmountable trouble? "Email" to the vast majority of the Internet world is a website, and an "email client" is exclusive jargon.
For the record it appears Gmail is also not immune. Both Gmail and Hotmail push their products as complete online email solutions - indeed, they try to make them look and act like email clients! With that sort of promotion it is no wonder that people are prepared to turn their email over to them. But without requiring every user to spend the considerable time to understand the security implications of using email over the web, is this really a good idea?
Finally, here is a summary of the technical details of the attack, as far as I can gather. Note this is definitely not a captcha defeat or a from address spoof. The emails were sent from her account.
- The email subject was "Hey friend,"
- The email body was:
Hey friend, How are you doing recently? I'd like to introduce you a very good foreign trading online company and the website is www.ele-y100w.com It can offer you so many kinds of electronic products which you may be in need,such as laptops, gps, TV, cell phones, ps, MP3/4, motorcycles even several kinds of musical instruments and etc.. You can take some time to have a check ,there must be something you are interested in and you 'd like to purchase . The contacts: MSN: firstname.lastname@example.org Email: email@example.com Hoping you can enjoy your shopping from that company ! Regards
- Variations of this email have been used, with only the web addresses changed.
- Gmail and Hotmail have both been affected. The Gmail attacks appear to also set the vacation message to the same content.
- Several people claiming to be very computer savvy have been affected.
- Several people claiming very strong passwords have been affected.
- A few people have claimed that they run Linux or a Mac and only access Hotmail from those computers.
- Oldest report found is June 2008, latest is November 2008.
- The attack vector is undetermined.