Saturday, 19 January 2013

Howto: Handle a hacked email account

If your friends complain that you have sent them spam, your email account has probably been compromised.

First I'll explain what has happened, then what hasn't and, finally, what you should do about it.

What has happened?

Someone has obtained the password to your web-based email account. They have logged in and sent spam, quite possibly in the form of links to dubious or even dangerous websites, to contacts you have saved in your online address book.

Your password may have been stolen when you logged into your email account, possibly because you used a public wireless service at some stage. If so you almost certainly were not logged in using an encrypted connection.

An alternative way in which an attacker can acquire your email password is to send you a fake email that purports to come from your email service (e.g. Yahoo!). Such 'phishing' emails ask that you log into a fake website. When you type in your password it saves it and the person operating the site now has your details.

Sometimes an email service will be hacked and user's passwords stolen. This happened to Yahoo! last summer. In Yahoo!'s case the passwords appear to have been stored unencrypted, which is surprisingly unprofessional if true.

What has not happened?

The attacker has not just written emails and labelled them with your email address. While such 'spoofing' is possible, the fact that the spam was sent to your contacts indicates that the attacker has accessed your account.

There is no reason to assume that a hacker or a virus has compromised your personal computer. You can discover if the email was sent by your computer or someone else's by comparing email messages you sent yourself to the spam messages received by your contacts.

To find out how to do this, see Who sent the email? below.

What can you to to fix the problem?

1. Log into your email service and enable encrypted connections if available. The setting may be labelled HTTPS or SSL. Yahoo! Mail only offered this option in January this year, and it's not on by default. This article shows how to secure a Yahoo! Mail account.

2. Once you have addressed step one, and not before, change your password to something new and not obvious. For password tips, and a reason not to re-use the same one on different sites, see here.

(If you change your password before enabling encryption your new password will travel over the internet in plain text, which increases the chance that it could be stolen.)

3. Some email accounts let you specify an associated email account. If you lock yourself out of your main email service access may be granted via this secondary account. Check that the attacker has not changed this address to one that he controls.

4. Continue to be aware of phishing email threats and avoid falling for their tricks.

5. Be wary of using public WiFi just as a general rule.

6. To guard against having your details stolen or leaked change your passwords regularly.

Who sent the email?

All email messages contain technical details about the systems that they touch, from their origin to their destination. Look at the 'headers' to see who really sent the message.

In the following example message #1 was sent by the spammer, while message #2 was sent legitimately by the victim. I've trimmed out a lot of unnecessary headers below. Look at the underlined parts. I have changed some details to protect the innocent.

MESSAGE #1
Delivered-To: simon@h@k.me
...
Received: from [77.255.73.226] by web162906.mail.bf1.yahoo.com via HTTP; Mon, 14 Jan 2013 04:15:46 PST


MESSAGE #2
Delivered-To: simon@h@k.me
...
Received: from [64.40.54.xxx] by web162904.mail.bf1.yahoo.com via HTTP; Mon, 14 Jan 2013 10:44:51 PST

What these tell us is that both the attacker and the victim used Yahoo! Mail using the web (HTTP) interface.

We can also see that the spammer was operating from an IP address of 77.255.73.226, while the victim was using 64.40.54.xxx.

Using an online tool like http://whois.domaintools.com we can find out where these people are based.

At the time of the attack the spammer was based in Warsaw. The tool reports the following (and more):

IP Information for 77.255.73.226
IP Location: Poland Warsaw Netia Sa
ASN: AS12741
Resolve Host: 77-255-73-226.adsl.inetia.pl
IP Address: 77.255.73.226

The victim's IP address, on the other hand, leads us to believe (correctly) that he was working from Seattle.

Thus we can conclude that the spammer was accessing the compromised email account using a web interface from Poland, rather than via the victim's PC in Seattle.