# Hack attack!



## Jo Zebedee (May 14, 2013)

Last year I had a hack of my aol account which was pretty nasty - hundreds of spam emails sent. Since then I have been careful about security - i have mcafee total protection on pcs but not tablets, I don't use public networks (except 3g on my bberry), i use a different password for aol to everything else and sign in with a different one than I have stored. 

I had another, smaller attack yesterday - apologies to those of you who got one - and aol have shut me out for suspicious activity tonight (that may have been me, though, deleting lots of contacts). 

I access aol from my pc and sign out when not working, my ipad which is connected all the time when connected to the internet through secured networks and my blackberry. 

In terms of websites I am a low user - here, the bbc, wiki, a small amount of shopping ones and would never have oodles of windows open. 

Which platform is the likely source, oh techie people, and how do I protect myself or is this account, once hacked, now doomed? (It has been my address for years and I need it for work and it would be awkward changing it.) 

Cheers

Demented.


----------



## Lenny (May 14, 2013)

Do you have copies of the e-mail sent to your contacts in your Sent Items (or Trash) folder?

If you don't, then there's not much you can do about it. Spoofing a return address in the e-mail header is laughably easy (it's akin to writing a letter to someone and putting someone else's return address at the top of the letter and on the back of the envelope).

If you do have copies of the sent e-mail, then your account has most definitely been compromised. Whilst changing the password will deny access to your account for anyone else, it's not the only thing you should do.

Before changing the password, check your account settings for alternate e-mail addresses that you didn't add (services often allow you to add a backup address, to which recovery details will be sent if you've been locked out), and check your filters for automatic forwarding (if your e-mail provider sends you an e-mail with your new account details, then the last thing you want is for it to be automatically forwarded to someone else). When you're sure that no-one else will receive any e-mails, or notifications, you get, change your password (and make it secure. If AOL has a "security of your password" checker, ignore it - when it says your password is strong, double the length. The time needed to crack a password increases exponentially with every character you add, particularly so if you use non-alphanumeric characters).

Changing the password will give you a short time window in which to change everything else, too. Unfortunately, if the attacker knows a handful of details about you, they can still trick your e-mail provider into letting them in, by answering your security questions correctly. So change them all. My personal favourite method for security questions is to create my own with answers that really cannot be guessed (think of the Guest Publication round in *Have I Got News For You*) - don't stick with "Mother's Maiden Name", or "First Pet's Name", but create your own question with bizarre answers: *What is the current time?* _Sorry, I was never that into Pokemon_.

---

If you've ever used an "Invite your contacts" function on a site like Facebook, or LinkedIn (particularly LinkedIn, who suffered a major data theft last year), then there's a chance the attackers have a snapshot of your address book, and there's nothing you can do about that.

There's a small chance that you also have a virus or trojan on your local machine, so I'd do a full scan just to make sure. It's unlikely, however, as attackers have moved onto using flaws in JavaScript to run code that takes advantage of modern browser behaviour (the average person, particularly younger generations, will have a lot of tabs open that require you to be signed into a service. It's not hard to write a bit of code that automatically posts something to Facebook or Twitter, or sends an e-mail. All the attacker needs to do is assume that who they are attacking has those tabs open and is logged in).


----------



## Jo Zebedee (May 14, 2013)

That's really helpful, Lenny, I will go check all that. I am on linked in as it happens. I will also think of a fiendish security question. Interestingly, mcafee found and removed a trojan this morning - might that have been the culprit and if so is it dealt with? And yes, eventually the emails showed in my sent folder but not for a couple of hours.


----------



## Lenny (May 14, 2013)

Well if you haven't changed your LinkedIn password etc. recently, I'd do so now. The same with your AOL account, seeing as the sent e-mails showed up in your sent folder.

The trojan may have been the culprit, but you don't want to put your feet up - account security is one of those infuriating things that should never be pushed to the back of the mind. It's safest to think that we'll never not be under attack. Constant vigilance, and all that.

---

_I did have this as an edit at the end of my first post, but I'll put it here instead._

If you do decide to go for a new e-mail service (and of course, I'd recommend Gmail), try and find one that lets you turn on Two-Factor Authentication - it's a security method by which you need a uniquely generated key as well as your password before you can log on. It can be sent via SMS, or generated by an app on a smartphone, and adds an extra level of security (even if the attacker manages to guess your password, the odds of them also guessing a six-plus digit code are cosmic). Usually, you'll be given the option to save a device as trusted, meaning you only need to log in with two-factor authentication on that device one. If you log in on a different computer (at work, say), then the service can work out that you're on a different device and it will make you log in with Two-Factor Authentication.

It's something that wouldn't hurt to enable on other accounts that allow it (Dropbox and Facebook, for example).


----------



## Jo Zebedee (May 14, 2013)

I have changed my password twice - i will go do linked in now and, although I can't change the password qs I canchange who I base the answers on. Ty! You're fab.


----------



## Montero (May 16, 2013)

Lenny said:


> It's unlikely, however, as attackers have moved onto using flaws in JavaScript to run code that takes advantage of modern browser behaviour (the average person, particularly younger generations, will have a lot of tabs open that require you to be signed into a service. It's not hard to write a bit of code that automatically posts something to Facebook or Twitter, or sends an e-mail. All the attacker needs to do is assume that who they are attacking has those tabs open and is logged in).



So it is not just tabs open?  It is logged in too?  Just wondering why having tabs open is a security risk (given as I do it).


----------

