Compromised Contacts Can Cause Confusion

Compromised Contacts Can Cause ConfusionIt has happened again. Things seem to go in waves, and right now people who I know seem to be involved with a wave of compromised contacts in their email accounts. Last week, my wife received an obviously bogus email from a friend. She returned a quick warning, but I suspect her friend had already discovered the problem because another email came through with an apology to everyone who had received the bad letter. We do not know if anyone on the contact list had the misfortune to actually open the contaminated mail.

Then at a computer club this week, two members reported their contacts had also been compromised. This provoked a conversation about (1) what to do next, and (2) how to protect oneself from future problems.

Before discussing what to do next, we need to understand one common thread linking these three events. All were using Web-based mail clients. I do not claim to be an expert on email security, but I prefer to use a local mail client. Yes, I will even admit to being a fan of Outlook — after all, it does play nicely with my BlackBerry. (Now I have probably made two sets of people angry. Oh, well, you have to call them as you see them.)

The consensus of the group was to shut down the compromised account and open a new one. Various suggestions were made about how to safely import the old contact list without bringing a problem along. These included exporting the contacts to their home computer as a CSV file and then scanning it before re-importing it to the new account. Exporting contacts is an iffy thing. Some providers make it difficult as a way to keep customers — at least that is what I believe; there does not seem to be any other rational reason. I suggested that a local scan with the PC running in safe mode and no Internet access would be a good thing to do before opening a new account or doing anything. MSE or Malwarebytes are my applications of choice.

About this time, one of the members said that he heard of a way to protect contacts by making a bogus entry, [email protected]. When an intruder tries to send an email to that address, it will fail, and since that is the first one in alphabetical order, the process stops. Sadly, that is not true. There might have been a bit of truth in that scheme years ago, but intrusion techniques now are quite sophisticated. In fact, I was surprised that legend still circulates. There is even a rebuttal on Snopes. If anyone knows of a way of thwarting intrusions via bogus entries, please share.

This is not the same thing, but I do recommend creating a bogus person in your contacts with your own address. Then set up your mail client to show who mail is being sent to (usually just you). If the bogus person ever gets a letter, you know after the fact that you have been compromised. This does not protect you, but it could kick-start to a recovery process. At least it does not cost anything. Another test is to go to dcwg.org and follow instructions.

The bigger question is how to prevent future compromise. Since the history of how these three accounts were successfully attacked is not available, we have to fall back on standard techniques. After all, the reason they are standard is that they work. I never open a forwarded letter unless I confirm with the sender that it is legitimate. Closing the preview window is a good idea.

By all means, complain quickly and loudly to anyone who sends a mass mailing without using BCC. This is not only for your own protection, but for all those other potential victims as well. I used to be overly polite is pointing out this breach of etiquette and common sense, but now I couldn’t care less for the feelings of the offender. I am still polite, at least as polite as I need to be to attempt to bring about a change in dangerous behavior. Graphic descriptions of the horrors that could be visited upon the innocent recipients usually have a beneficial effect.

We could go through a litany of good techniques, but it all boils down to one thing: You are your own best defense. Even if there were a magic app that would promise total security, it might be valid for today and could fail tomorrow. You would be worse off for having been lulled into a false sense of security. The people who write the malware are at least as smart as those who write the protections, and the ones who write really successful malware can make a lot of money quickly. That is incentive.

There is another reason to avoid blind dependence on software protection. It is what I call the GPS effect. Since we have GPS in our cars, I have slipped over the years into the habit of punching in addresses even when I know where to go. It is convenient. But as a result, my ability to navigate by dead reckoning has decreased greatly. The same thing happens if you become complacent over Internet and email security because you trust your protective software. You might relax and click a button you should not have gone near, or you might open an obviously bogus letter.

So why do these things seem to go in waves? Is it just a random fluctuation that looks like a wave? It could be due to a new and improved intrusion tool being proliferated. Not only am I not an expert on these things, but I really do not want to become one. Like everyone else, I just want to avoid getting infections of various types with as little effort and compromise on my end as possible. That is probably too much to ask.

Article Written by

  • Kyle Kimberlin

    The insight about webmail being more susceptible is interesting but perhaps anecdotal. Webmail has become far more popular than local client access. But all of the accounts I’ve used with Outlook also had a web access option, accessible with the same credentials on the ISP’s site. So I think the more likely weak point is the credentials – weak passwords. And there may be something to say about transmission of passwords without https over unsecured networks. I always use VPN in public.

    Thanks for the article!

    • Sdeforest

       Good comments.  I do not have any definitive reason to trust any mail service over another, but I just feel more secure with local storage.  No reason.  VPN is good.