The Accidental Spammer
Last Saturday, my 10-year old AOL account was hijacked to promote one of the best known online pharmacy scams. The Canadian Health Care Mall looks legitimate, but its certifications are forged, its buildings do not exist and its CEO image is a stock photo. Order from this company, and you will be turning over your credit card account to cybercriminals.
The first thing I noticed was a series of "mail undeliverable" notifications in my inbox. Then I received messages from vigilant friends asking if I was aware my account had been compromised and was being used to send out spam.
When I tried to log into my account, the password was declined, but within an hour, the password worked. There were no unusual emails in the sent folder.
This is a typical scenario. Someone found my password, used it to access the account, and changed the password while using the account to send spam to every email address associated with the account. When the job was completed, the sent spam messages were deleted and the password changed back to the original password.
Messages sent from my account were reported as spam and AOL locked me out of the account section where I would have been able to change the password for 24 hours. Because of the unusual activity, once the lockout was lifted, answering a security quesiton was required for me to go in and change the password. In my case, the question was "What is my favorite movie?" Apparently, my tastes have changed over the last decade. "What were the last four digits of the credit card used to establish the account?" Unable to answer. Finally, I received an email from AOL warning that if spam was sent from this account again, it would be closed.
Most experts recommend closing the account to prevent further misuse, but ironically, I didn't have the access to close it. I've decided to keep the account and take precautions against future problems.
If you find yourself in this situation, one thing you can do is check your email regularly. Look for mail delivery error notifications for mail you may not have sent. If you discover your email account has been stolen, change the password and the associated security questions immediately if you can.
If, like me, you can access your mail, but not the account privileges, protect your account and your friends from another round of spam by removing contact information from the account. First, copy contact email addresses that are important to you into a new document. Some security experts advise keeping contacts in a separate list and pasting them into email messages as needed.
Next, delete email from the inbox and sent mail folders. Delete contacts after copying the ones you want and then empty the trash. If the hijacker comes back, the account will be empty.
Whether or not you decide to keep the account, the password must go. Once the password for an email account has been compromised, that same password may be tried against other sites. Unfortunately, many people use the same login and password everywhere they travel online, giving easy access to cybercriminals once they've broken through the email account.
Some people advocate one password for everything because it's easy to remember, and those at the opposite end prefer a different password for every site because it's safer. Consider creating several strong passwords for different types of sites. Come up with a password for online banking and related financial sites, a password for each email account, a password for shopping and entertainment sites, and a fourth password for information sites such as news and forums.
A safe password will be made up of letters, numbers and punctuation symbols whenever possible. Do not use words found in a dictionary. Hackers commonly use programs based on combinations of dictionary words to break passwords. Also don't use dates, your name or other common personal data.
The best passwords are usually not easy to remember. Assuming you use your computer at home, write your passwords down on paper and keep in a safe place that is accessible, but out of sight. Most passwords are stolen with the "PostIt" method, by glancing at the password-containing yellow note stuck to the monitor.
Keep a list of the sites where you've stored passwords. Apply your new passwords to existing sites you use like Amazon, eBay, online brokerage firm, etc. Software is available to help manage passwords, but sometimes the old-fashioned paper and pen is sufficient.