divalas.vegas

[annie]

I'm sending this item to several lists which I administer or moderate. In particular, this issue has affected the Pinkfest, RCGA, and DLVDISC lists over the past few days.

What I'm reporting is current and ongoing, and not a general admonition or "forward me" recycled netlore.

This mainly affects users of the "Big Three" e-mail providers (Yahoo, Gmail, Hotmail/MSN/Live) but it's been known to affect users of other systems as well.

What we've been seeing over the past several days is a pattern of spam and links to ratware being sent out in the name of list members. Inspection of the message headers reveals that these are not simple cases of From: address spoofing, but are messages originating from the actual users' accounts. These are being sent to addresses which appear in the users' contact lists.

Not only is this sending out junk in the name of innocent users, IT IS REVEALING THE CONTENTS OF ADDRESS BOOKS AND CONTACT LISTS! (E-mail addresses of such things as banks and therapists have appeared in recent samples.)

Please, everyone, take this opportunity to be sure your personal PC is secure.

If you're not running anti-virus/anti-malware software, here are links to two products which are free for noncommercial personal use:

http://free.avg.com/ww-en/free-antivirus-download
http://www.emsisoft.de/en/software/download/

Another free product which is useful and goes beyond the above two is Spybot Search And Destroy:

http://www.safer-networking.org/en/download/

In the event you believe that your Hotmail/Gmail/Yahoo account has been compromised, the following procedure will usually be effective in cleaning things up:

1. From a KNOWN CLEAN COMPUTER (NOT the one you usually use to access the account), change the password on your account. No, it is usually unnecessary to abandon an account and start another one.

2. BEFORE you access the account from the computers you usually use, perform virus/malware/spybot scans and correct any issues which you discover.

If you're not technically-savvy and need help, ask assistance from someone who is, or utilize a service agency such as Geek Squad.

And please, don't shoot the messenger! If someone reports garbage coming from your account, please don't get upset. Take it seriously and take steps to correct it. Let's all do what we can to help keep the net clean!

[bobbiemlv]

I have AVG and keep McAfee(not nearly as good)and not enabled at he same time, as a back-up.

[External Poster]

This posting is from: Mike Costello
----------

I was hacked and I don't trust anybody now?

----------
(This posting was entered by Mike Costello, an external user of MyDLV.)

[annie]

> I was hacked and I don't trust anybody now?

Mardi, if you don't mind, let's use your case as an example to show what most likely happened, why, and what everyone can do to prevent being a victim of scams such as this.

What happened to you was a classic case of a common e-mail scam. People in your contact list received an urgent note stating that you were abroad, in an emergency situation, and needed scads of cash wired to you immediately.

+I just arrived Cyprus and I am in a fix. Can I get a loan of $3000 or whatever
+amount if not all. You will have it as soon as I get back home. It is really urgent,
+get back to me as soon as you can. Please keep this between us. Thanks

I would hope that anyone receiving such a note would immediately recognize it as a scam, but there are reports that people fall for this kind of appeal regularly.

This did (appear to) come from you, under your name, from your established e-mail address. Inspection of the headers of the message (those "gobbledygook" lines) shows that this did indeed originate from your account and was not a simple case of From: address spoofing.

+Received: from snt0-omc1-s8.snt0.hotmail.com (snt0-omc1-s8.snt0.hotmail.com
+[65.55.90.19]) by ivgate.omahug.org (8.12.9/8.12.9) with ESMTP id p8DCpsCB084041;
+Tue, 13 Sep 2011 07:51:54 -0500 (CDT)

This line shows that the message was received by our mail receiver from a valid Hotmail server. (It will be an exercise for the student to show why this particular line can be assumed to be accurate and not forged or spoofed.)

This indicates that yes, your e-mail account was most likely compromised, or "hacked" as you put it.

Diving deeper into the header of the message reveals this line:

+X-Originating-IP: [41.58.79.32]

A line similar to this is included by most e-mail providers in order to troubleshoot issues and trace origin in the event of fraud or abuse. This shows the IP address (network address) of the computer on which the message originated. (Again, it will be an exercise for the student to show why this line can be assumed to be accurate and not forged or spoofed.)

Checking internet registries, we find that this IP address (41.58.79.32) is assigned to a service provider in Africa, not in Cyprus, which would be either a Greek or Turkish IP assignment. It's most likely that the computer at this address is a compromised PC, owned by an innocent victim, used as a "jump box" to further hide the actual identity and actual location of the perp.

This answers the "what happened" aspect, now let's look at the "why" part of the situation.

As you say, you were "hacked", meaning that your username and password were obtained by a scammer.

This may have been done any of several ways. You may have been tricked into revealing your password by a spoofed message or spoofed Hotmail/MSN/Live sign-on screen. Your computer may have been infected with a keystroke logger which sent your username and password to the perp. It's unlikely, but it could have even been a brute-force password-guessing effort by the perp. You could have even used another compromised machine to log in to check your e-mail at one time. There are countless other methods by which a scammer can obtain your login credentials, and user account names and passwords are known to be traded amongst the scam artists.

How do we prevent things like this from occurring?

There's no one-size-fits-all solution. The best advice is to be streetwise on the information superhighway and be careful what you do on line. Be sure that when you input your username and password, it's to your provider's legitimate screen and not a spoofed copy. (Hint: Do NOT follow a link in e-mail or on a web site which requires you to log in to Yahoo/Hotmail/Gmail/etc.) Don't use easily-guessed passwords. Use the tools mentioned previously to keep your computer clean of ratware. Be VERY careful when you are prompted to give permission to allow something or install something on your PC. Often overlooked: When you sign in to your provider, does that key or padlock appear locked or unbroken? Above all, be observant and take particular care when something just doesn't look right.

[External Poster]

This posting is from: Rosaliy
----------

I received one such email in my suspect mail folder at my isp. A lot of
people I know have been hit in the last few months and I keep getting
various messages all with links in them, though the one from you did not
have a link. Most of these take you to a bogus canadian pharmacy site
and are clearly frauds designed to steal your information first and
your money if you fall into the trap.

A suggestion. Use an offline email client to secure your address book
and contact information. I have used Eudora for years but have not
upgraded to the newer slimmer version. Thunderbird from Mozilla.org
might be a good way to go AND it has an advantage that it is free and
works very much like Microsoft Outlook. I already have it on my
laptop computer and so far it seems to be doing well.

Why the offline client? Most of you are using your ISP as your total
email service AND these fools will steal your contact list and then
delete it so YOU lose it. An offline client will secure list so you
can't lose it.

btw here is a cut and paste from the mail I got: I am including it
in case it helps you in any way.

Rosaliy

X-Authentication-Warning: ivgate.omahug.org: majordomo set sender to
owner-dlvdisc@geekbabe.com using -f
X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on
ivgate.omahug.org
X-Spam-Level: ****
X-Spam-Status: No, score=4.6 required=5.0 tests=BAYES_00,HEADER_SPAM,
MISSING_HEADERS,MISSING_SUBJECT,TO_CC_NONE autolearn=no version=3.1.5
Received: from ivgate.omahug.org (localhost [127.0.0.1]) by
ivgate.omahug.org (8.12.9/8.12.9) with ESMTP id p9AGB0CB042928 for
<dlvdisc@geekbabe.com>; Mon, 10 Oct 2011 11:11:01 -0500 (CDT)
Received: (from annie@localhost) by ivgate.omahug.org
(8.12.9/8.12.9/Submit) id p9AGB0LA042926 for dlvdisc@geekbabe.com;
Mon, 10 Oct 2011 11:11:00 -0500 (CDT)
Date: Mon, 10 Oct 2011 11:11:00 -0500 (CDT)
X-Discedit: YES
From: Annie <dlvdisc@geekbabe.com>
Message-Id: <201110101611.p9AGB0LA042926@ivgate.omahug.org>
X-Greylist: Sender IP whitelisted, not delayed by
milter-greylist-1.5.3 (ivgate.omahug.org [0.0.0.0]); Mon, 10 Oct 2011
11:11:06 -0500 (CDT)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.3
(ivgate.omahug.org [0.0.0.0]); Mon, 10 Oct 2011 11:11:01 -0500 (CDT)
Precedence: first-class
Reply-To: dlvdisc@geekbabe.com
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=1; sbrc=-0; sbf=eb; sbw=000;

These are two of the best things I have read for a long while.
Xxdresser sums it up perfectly, especially the "lying" part. Thanks :)

Amie x

----------
(This posting was entered by Rosaliy, an external user of MyDLV.)