I was recently asked to investigate a computer that was sending out spam email. This is a common problem and is usually a trojan infection. In this case there was no infection! In fact, everything looked normal so this became a challenge. How did the attacker gain control of this computer without a backdoor? A firewall, antivirus, up-to-date patches and full security protected the computer. I started to investigate the email system, which is Yahoo. I checked the web browser and there was nothing wrong. The password on the email account was random words and numbers and would not be guessed.
Finally, I logged on to the Yahoo Email service and investigated the settings. Eureka! The setting had a referral email address for a smart phone! I knew this was fake. After investigation it was clear that the smart phone address was set to another email address on Yahoo. This address was very similar to the real email address with only one character out of place. When I investigated where this account was sending messages from it showed countries all over the world. Clearly was just an attempt at stealth. I deleted the settings, changed the account password and reported the fraud. The problem went away and has not returned.
I believe it was a drive-by attack from a hacked website. My guess is all the major email services have similar attacks. If you find that your friends are reporting spam from your email address and you have already checked everything else then check the settings on your account and change the password. What made this attack so clever is that there was nothing on the computer for a virus scanner to detect! Thankfully, it is easy to get rid of.
The next attack was a phishing attack that I received that appeared to be from American Express. It stated that the email address on my account was changed. This might panic people into clicking on the link provided. Their words were, “If the new e-mail address is not correct or you did not request this change, please click here.” If you hover your cursor over the link you find it is a website in Jakarta, Indonesia. Other link in the email went to the country of Uzbekistani. You cannot trust the “from” address in the email since that can be made to appear as if it is from anyone. If you clicked on the link, you got infected.
Your best method of detecting these types of attacks is to use the hovering cursor to see the actual link. If you still think the message is real then call on the phone or enter the company’s website address by hand. If you don’t know the real website address use a search engine. In this case I would go to www.americanexpress.com.
Peter Radatti is the CEO of the CyberSoft Operating Corporation and has been dealing with computer security for governments for over 24 years. Contact him at www.cybersoft.com.