Software

Hijacked Address Book: How did it happen and what to do?

Most of us have seen those spoof e-mails, when a personal e-mail address has been commandeered for the purpose of sending spam, but in this case, to everyone in your address book.

Most of us have seen those spoof e-mails, when a personal e-mail address has been commandeered for the purpose of sending spam, but in this case, to everyone in your Address Book.

-------------------------------------------------------------------------------------------------------------------

I received an e-mail from a good friend the other day, and it seemed entirely out of character for her. Red flags immediately popped up, and I knew that her e-mail Address Book had been compromised. Here is the text of that e-mail (exactly as it appeared):

Best goods and best service!

i would like to introduce a good company who trades mainly in electornic products.

Now the company is under sales promotion,all the products are sold nearly at its cost.

They provide the best service to customers,they provide you with original products of

good quality,and what is more,the price is a surprising happiness to you!

It is realy a good chance for shopping.just grasp the opportunity,Now or never!

The web address **********

(I removed the Web address to which it referred.)

I noticed that this e-mail had not only been sent to me but apparently to everyone in her Address Book, many names being familiar to me. A phone call to her confirmed my suspicion that she did not actually send the e-mail herself, but rather some cyber-ne'er-do-well had hijacked her Address Book. Of course, her first question was, "How could this happen, and what can I do?"

Here are a few ways it could have happened:

Malware of some sort found its way onto your computer, and its sole purpose is to harvest e-mail addresses, which are then sent along to someone else for the purpose of sending spam e-mails. Someone who has your e-mail address in their Address Book actually has the malware on their computer. Some Web sites actually harvest e-mail addresses from a computer, especially those that presume to share things with others or invite friends, and so on; or perhaps people who are members of those sites have ways to harvest e-mail addresses from their friends. While doing some research for this problem, I ran across a guy who claimed that this very thing had happened to him when he joined StumbleUpon, and another who claimed her Address Book was hijacked through Facebook, and yet another who had joined Fanbox.

What to do:

Scan your system for malware. I discussed spyware removal tools in a different blog piece, which can be found here. Two tools I might recommend are Malwarebites and Hijackthis. And since some malware might resurrect itself through a Registry entry, perhaps running CCleaner would be prudent as well. However, consider the risks of running a Registry cleaner. I wrote about that in another blog piece, which can be found here. Make sure your antivirus software is installed and is up to date with the current virus definitions. Make sure your Windows OS is current with all security updates. Be careful of (or avoid) some (or all) of those social Web sites, especially ones that share e-mail addresses. I won't presume to know all the good ones from the bad ones, but I avoid all such sites. I might be one of the few people without a Facebook or MySpace account, but I simply resist joining any of those types of sites. If your computer is clean, and you're certain you weren't compromised at a social networking site, send an e-mail to all the people in your Address Book to give them a heads-up that someone in your e-mail circle might be compromised. I would suggest sending them one at a time or with a blind CC, however, since I advise people to never send mass e-mails -- although we probably all do it from time to time in certain cases.

I'll be going on a free house call tomorrow to give my friend's computer a checkup. She's pretty certain that her computer is clean, and she's a pretty savvy user, but having a second set of eyes look for some things would be a good idea.

How about you? What are your experiences with hijacked Address Books? And please add to my lists of how this could happen and what to do if you have more suggestions.

24 comments
SteveOfLA
SteveOfLA

I ran into the situation where an email came from my stepmom with a link in it. I opened the link, saw that it was a "Make $7000 a month at home" site, and closed the link. A day later, I noticed that I had 46 e-mails sitting in my draft folder (I use Ymail). When I looked at them, they were just like the e-mail that I got. My suspicion is that because I had my Yahoo account open in another tab, the website was able to run a javascript that went to that tab and started generating e-mails. Does anyone have more info on how this works and if there is a good anti-virus that could stop that?

suetoo
suetoo

My address book was hijacked by linkedin, which sent everyone in it an invitation to join, including my boss and an invitation to see that I was looking for another job. Not cool. It comes out that there is a place in Yahoo mail, under "Apps" that you have to uncheck to allow your address book to be blocked. The default is for Yahoo to hand out information about you like a drunk at the stripper bar. Once you have the information available for "Apps" other programs and malware are able to access it. What you will find out about the hijacking of your friend's address book is that there is no malware on her computer to remove. Those spoof phishing emails are not coming from her own computer, but rather from somewhere in Nigeria and are only signed with her address. this program gets into yourmachine, gleans the information it wants real quickly and then erases itself.

noneofyourbusinesses
noneofyourbusinesses

Well what happens to most people is that their Anti Virus is not up to date or it does not scan for malware. You can get this malware simply by recieving an email from a friend with a link to click on. Once you click on the link if YOUR Anti Viri and Anti Malware are not up to date then you have just been harvested and then everyone on your email address book will be targeted, That is the most common way you get this problem is by clciking on links and not having good Anti Virus protection with Anti Malware.

jim
jim

Exact same email was sent from my hotmail acc yesterday, only used when registering on websites/ forums so only a handful of contacts, I emailed Windows Live Abuse group but haven't heard back

Geraint_UK
Geraint_UK

Where a site uses your e-mail address as a login, avoid the temptation to use the same password that you use to login to your e-mail. First thing to do is change your e-mail login password.

vivier
vivier

There is a rather tricky way to anticipate the hijacking virus from using your mail address book. Just add a dummy contact named AAAAA with address aaaaa.aaaaa@aaaaa witch will take the first position in the list. This won?t kill the virus but has the following advantage : As the dummy mail address is totally wrong, so if you receive an error message of undelivered mail to aaaaa.aaaaa@aaaaa you can be sure that the virus is on your computer. Due to sending error the virus process stops working and the infection can?t reach another address. Then you have to find the right tool to get rid of this virus.

JCitizen
JCitizen

Most of the email contacts I frequent are all practicing deleting all previous addresses when forwarding, and using [b]Bcc:[/b] for each addressee. That way if it ever gets on a compromised PC at least the damage is minimal. If we all did this it would cleanup some of the bandwidth too.

waynepd
waynepd

Yes i had this about 2 years ago but it was my online Yahoo Mail Address book which was compromised so it was an easy fix. I just emptied it out and no more bogus mails from me now. I didn't use it as a rule anyway and there were only about 10 names in it. They were specific to that address book which is how i picked it as the source of the problem. Told Yahoo about the problem and they thanked me and that was the last i thought about it until this post.

bhaven23
bhaven23

This happened to me. Occurred so fast I couldn't stop it. No idea where it came from; but the system has been cleaned. I do not use Outlook. The addresses in ALL my email accounts were sent and that's what I can't figure out. Hotmail, Yahoo, and email.com........ There are only a few duplicates among them. Amputate the fingers of the perps!

gep2
gep2

One CRITICAL, BASIC RULE is to NEVER EVER give your E-mail passwords to ANYBODY AT ALL other than when you are PERSONALLY logging in to your e-mail, and where YOU have entered the URL into your web browser (i.e. not following a link from somewhere). NEVER give your credentials to ANY third party, especially including things like GroupsAccess, Grouply, FanBox, FanIQ, or any other such outfit. Grouply, in particular, uses YOUR credentials to send out THEIR spam...! Meaning that now YOUR e-mail account gets the spam complaints, and YOUR e-mail account gets blocked...! The other way that this stuff gets out is if your computer is infected by malware/spyware which is capturing your keystrokes, and that's nasty on so many levels that hopefully the danger is obvious.

fewiii
fewiii

1. Change your passwords frequently (no less than once a month). 2. Create a webmail account just as a "dumping" ground (and to use on social networking sites, sites like this, etc) and don't put business or personal contacts in its address book. 3. Follow all malware protection procedures.

plepkowski
plepkowski

I don't use the address book on Yahoo's mainframe or in my own copies of Outlook or Outlook Express. I dislike having any of my data kept in some proprietary format where I can't modify it however I want to. You can keep all your addresses in Excel, Access, Word, or Open Office format, or in an encrypted text file. When you want to send a email you just copy out of your storage file and paste into the address. You can store any of these files anyplace you want ... an obscure folder on any hard disk, a removable drive, or even on an optical disk. Malware looks for the address book in the default location where Outlook (or OutlookExpress) normally storess it. Storing it somewhere else will stop most Malware dead in its tracks. You can even build a standard Outlook Address Book consisting of nothing but junk addresses that don't work. If everyone did this then the Maqlware servers would spend all their time sending their junk email to undeliverable addresses.

waltjohnson35
waltjohnson35

I don't know how it happened but my wife's addresses(on her own computer) were hijacked. I realized when I got a message 'from her' that I knew she had not sent. I sent a "Reply All" warning those that were on the list I got and she sent a warning to everyone in her address book who was not on my list. As an additional precaution she also immediately changed her password.

kafrisbee
kafrisbee

I had my email address and address book hijacked from the Yahoo site directly. I had not used the address in several years, and it was not accessible via a POP connection on my desktop. I cancelled the email address and hope this is the last of it.

gandhawk
gandhawk

Last week my gmail address book was hijacked. They did not change my gmail password. I change my gmail psw and every other one after I cleaned my computer.

waynepd
waynepd

CHAIN MAILS.......Another very obvious source of email address harvesting. Anyone who sends me one of these mails is told in no uncertain terms that they should resist the urge to improve my life with these useless posts....

chickenlegs
chickenlegs

create a email add in your address book like this...aaaaa@aaa.aaa. when you get infected it goes to your add book and starts at the first in alphabetical order and your 1st is bogus it stops there

brent.russell
brent.russell

I don't run a mail client at home at all but use my ISP's WebMail client. So there is no addresses at home to harvest. Also if my PC does go belly up then I don't lose the address book. The only way I got spammed is when a friends address list on HIS computer got harvetsed. I use a few permanent Gmail addresses with forwarding for some replies and create temporary ones if I am really suspicious. Gmail is also handy for long term storage of addresses, emails and even files in accounts that I don't use for anything else. I NEVER give out email address passwords for anything, even from temp accts. So far in about 5 years I have been pretty untouched.

williamjones
williamjones

Hey Joe, Awhile back I blogged about a similar experience where I got some chat spam from a friend. She had fallen prey to a social engineering attack directing her to access a supposed video site called Viddyho. That site asked for a chat or email account password, and promised access to a web video in return. Instead, the site harvested email addresses and chat IDs using the APIs of those web apps. No malware had to be directly installed on her machine for this to work. My friend was exposed to the Viddyho site via Google Chat, which is accessed through Gmail. In her case, it wasn't just an AIM, ICQ, or Yahoo IM password that the site was able to get from her, it was the password to her email account. If there's any way an individual's email account could have been exposed to a malicious party, the login credentials should be changed *immediately*. Lots of systems use email accounts as secondary verification -- like when sending out password reminders. If a malicious party gains access to one's email password, he can wreak a lot of havoc. I also feel like you do, that some social networking sites ask for more liberties than people should be comfortable giving. It's very common for these networking sites to employ invitation tools that ask a registrant for their email password in order to send invitations to all the folks in their address book. People turn over this info without really considering that they are trusting strangers with some deeply personal material. People should remember that complacency makes them vulnerable. Nice post.

jemorris
jemorris

About 7 - 8+ yrs ago that would have worked on the viruses of that time. Most viruses now go for forwards (FWD & FW) in your "sent" messages, Inbox and Deleted items folders. The malware can harvest more addresses from one or two emails than the average user has in their address book. Also the current generation of malware doesn't use your email account to send the infected email out, many set up an out-going only mail server on the infectd computer so unless you're monitoring your network traffic all you notice is your internet speed is greatly reduced and your computer being sluggish. One of the type of malware/tricks being discussed here is more akin to a social engineering gimmick to gain access to an IM or social site account to send emails supposedly on your behalf advertising some service or product and encouraging you to supposedly "join" the site to get all the benifits of said product. The ones I've actually seen not just read about purport to be a helper to your yahoo or gmail services and will greatly enhance (cough.. cough) your current yahoo/gmail experience. You know if these folks that come up with this crap would expend the same amount of energy in more beneficial pursuits I think this world would have a lot fewer problems...

DanCh
DanCh

Once your address book has been stolen, it will just spam all your contacts, regardless of whether or not they work. The only way it could ever know whether an address was dead or bogus would be to wait for a "Bounce" message from that address. Is a spam engine really going to sit there and wait?

apritcha1
apritcha1

Since the first email address is bogus, the email server will bounce a message back to you saying it was undeliverable and you'll know right away that your address book has been compromised. If the worm decides to ignore the undeliverable mail and continue on, then at least you know it happened.

Joe_R
Joe_R

That's for adding that, William. Good information.

Editor's Picks