What to do if your Hotmail account got hacked – the recent spate of attacks on Hotmail accounts
If your friends and contacts have received an email or IM message from your Hotmail account with wording along the lines of "I would like to introduce a good company who trades mainly in electronic products... etc" - it is highly likely that your Hotmail account has been compromised.
IF YOU ARE THE POOR SOUL THIS HAPPENED TO, THEN YOU SHOULD READ ON AND FOLLOW THE INSTRUCTIONS AT THE BOTTOM OF THIS ARTICLE.
In most cases when a spam email is sent in your name to someone else, the spammer doesn't need access to your account. All they need to do is spoof your email address - i.e. make it look like it was sent from you. That's very simple to do, and is very common.
However, the latest spate of spam from Hotmail accounts is different in that the attackers actually hack into your Hotmail account and then do some or all of the following things:
- They send a spam email to all your contacts.
- They may send a spam IM message to all your Messenger contacts
- They may delete all your Hotmail contacts
- They may set your autoresponse (the one you set when you go away) to send this spam message
- They may set your email signature to include the spam message
You know that they have hacked into the account because you can see clearly that they have sent an email from it to all your contacts, or even an instant message. They would not be able to do this if they did not have access to the account.
HOW IT HAPPENS
I don't have a definitive answer, but I do have a theory which, based on the evidence, looks likely. If your password is a common name or a word that appears in a dictionary, then your account is vulnerable, even if it has a year of birth or number attached to it.
This is how the hackers do it:
- They employ an automated script that is fed your Hotmail address and then goes to work./li>
- It feeds the entire dictionary and common passwords and names into Hotmail one by one, trying to log in.
- After several attempts Hotmail "locks" the account and present a CAPTHCA (i.e. a string of wonky letters and numbers that are supposed to stop scripts from doing exactly that, because only a human can read these letters, supposedly).
- Unfortunately the CAPTCHA method no longer stops scripts, because hackers have found ways around them. One of those ways works by using sophisticated character recognition software that can read the wonky letters. Another is to feed the letters to "CAPTHCA farms" - the letters are fed to human users, employed by the hackers to read and enter CAPTCHAS, and they are often paid by the number of CAPTCHAs they enter (for example 1 cent per entry). This becomes viable financially if the spam is part of a bigger scam. The scale of the deception means it makes more money, especially because people are much more likely to trust spam messages sent by their friends. This achieves greater returns for the hackers and means they can attack many accounts, bypassing email security systems.
- Sometimes the scripts do their work over days, and sometimes weeks, to escape being caught by Hotmail's attack detection systems.
There are of course other ways for hackers to achieve this kind of attack, such as spyware on your computer, or you being deceived by a rogue website. My instructions below would help you tackle these as well.
WHAT SHOULD I DO IF MY HOTMAIL ACCOUNT GOT HACKED?
Go through the following steps, one by one:
1. Before you do anything else, change your Hotmail account password to something very safe. Not a dictionary word or name, or even a word and numbers. Use symbols such as $ and & in your password, and make it long. I know it is difficult to remember, but if you don't want to be hacked, you'll have to start using strong passwords.
2. Now check that your autoresponse and email signature on Hotmail do not have any spam text added to them, as this would go out to your contacts automatically.
3. Then check that your computer does not have spyware or viruses, by following the instructions here.
4. From now on keep your passwords safe, and be extra careful when using public computers (such as those in Internet cafes). If in doubt - change your passwords.
5. You may want to alert Hotmail support to the problem. It seems to be happening all over the place, and the more they know about it, the better it is for their efforts to address it.
And please note: if for some strange foolish reason you decide to go to the site advertised by the spammers, and you are even more foolish and decide to buy something on it, don’t be surprised if it never arrives. This is a well known scam, and you will never get your goods, you muppet.
Wordpress blog security top tips – Some things you MUST do!
WordPress is an excellent blogging platform, but as it is so popular it's also a constant target for those wanting to find and exploit its vulnerabilities. You should note that as with other web platforms, keeping WordPress secure is a constant job of updating and keeping up with the latest news and exploits.
Below are some key security tips, if you are installing a WordPress blog, or you want to make your existing blog more secure. This is a live article, and I will be adding more as I go along, or those suggested to me that make sense.
Make sure you back everything up before you start, and please read this article through to ensure you feel comfortable with the technical level required. Like any sever and installation changes, it will require some problem-solving and technical common-sense along the way, as no two systems are alike (and no two geeks are alike either). Any changes you make are at your own risk.
Top WordPress security tips:
1. When you install WordPress, it might be a good idea not to use the default directory that WordPress installs in (root/wordpress/), and instead either use the root directory or a directory with a different name. This means that automated scripts looking for the WP directory will not identify it on your site. There are, of course, other ways to identify a WP installation, but anything that makes your installation different to the standard steps a bot will follow to crack it is a good start.
Instructions on how to move the WP installation directory can be found here.
Note: there is also another (non security) reason to install WP in a root directory - it is more likely to rate higher on search engines if it is in the root. Depending on the popularity of your site this might be crucial.
Another note: if you are already running WP, you can simply move your directory, using the same instructions in the link above.
2. Make sure your WordPress installation is the latest version, and upgrade whenever a new version is released. These releases often fix security bugs and issues, and the longer you are behind the latest upgrade, the more likely you are to be exposed to attacks based on old vulnerabilities that you haven't patched yet.
3. Install the WordPress Security Scan plug-in. This is an excellent way to track some of the more common security risks on your installation. Conversely, if your server does have some robust access settings, the plug-in will not have access to do things like changing database table names, so I've detailed some of the manual steps below. Make sure you use the plug-in's scanner function to ensure your folders have the correct security permissions.
4. Change the database table prefix of your WP installation from "WP_" (the default) to something else that's hard to guess (e.g. something like this: "gh786Hg_"). If an attacker knows the database structure and table names, it makes attacking it easier. Instructions on how to make this change can be found here. You may also be able to achieve this through the WP Security scanner (see 3. above) but some environments will not allow it, and you'll have to make the changes manually. If you aren’t familiar with SQL, be careful and make sure you bac-up your database and know how to restore it if it all goes wrong.
5. Make sure you remove the user "admin" and replace it with a name that is less easy to guess. Leaving it there, opens you up to a dictionary attack whereby the hacker tries to crack your password using a script that tries lots of different passwords. If successful, they will gain full control of your blog.
6. Install the "Login-Lockdown" plug-in. This will also stop dictionary attacks in general, by limiting the number of failed logins allowed into your blog.
7. Hide your WordPress version. Again, revealing as little as possible to the potential attacker. This can be achieved through the Secure WordPress plug-in.
8. Hide your plug-in directory to stop hackers from accessing it and seeing its content. To be honest, if your server is set up well, this should not be a problem, but just in case: Create an empty file called index.htm, and place it in the wp-content/plugins directory. Or, if you can access your .htaccess file in your root directory, then even better: add the following lines to it:
# Prevents directory listing
Options -Indexes
9. Make sure you have an .htaccess file in your wp-admin directory. This protects your key WP admin files. The file should contain the following:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
10. Now we need to have a word about Plug-ins - you have to be aware that plugins are inherently a security risk; even some of the more popular ones. They are created by (usually) great coders, but some coders are less great, and miss the obvious flaws in their plug-in. In a recent WordPress installation, I discovered two popular plugins that were wide open to hijack through SQL injections. There is no easy way to avert this, but take the following precautions:
- Ensure you follow good security precautions on everything else. Ensure your servers, databases and PHP installations are set to be as secure as possible.
- If you don't know how to do the above, and are running a corporate site with much credibility at stake, get professionals to do it for you.
- Update plugins regularly to the newest version - to ensure any flaws the owner discovered and fixed are also fixed on your installation.
If you have the knowledge, give your plugins a once-over or scan them for injection risk using scanning software.
11. I mentioned the need for the environment (servers, databases, PHP etc.) to be as secure as you can make it. If you don't control these variables (for example because your hosting company does), check their security credentials and find out if they have a good record for security. There's no point in having a great secure WordPress installation running, if the server it is hosted on is vulnerable. And while we're on the subject, if you have access to your PHP settings, and you're not a PHP guru, you might want to run your PHP installation on "safe mode" and also set "register globals" to "off", and expose_php to "Off".
12. And finally, trivial but true: make sure your admin password is a good one. I know it sounds silly, but use a long un-guessable, non-dictionary password, that combines upper/lower case letters, numbers and symbols. No really.
Happy (and safe) blogging!
Firefox Users – Read this Now to Protect Your Passwords!
Following my piece about Google Chrome making password information visible to users (Oh Sh*t - Google Chrome Doesn’t Really do THAT?!) - I got several messages from people who were more worried about my observation that Firefox does the same.
The problem was that anyone using your PC could view a list of all usernames and passwords that you asked Firefox to remember - not asterisks: the actual passwords are visible to anyone. And because users tend to use the same passwords, it was exposing you to potentially disastrous consequences (e.g. your bank account being compromised), not to mention to the risk of various trojans and viruses getting hold of this information.
As David M. quite helpfully observed in his note to me: "With Firefox you can set a master password (right where you view the passwords in the Options page). This will require Firefox to ask you for a password the first time you use any of the saved password. It will also require this password in order to show all saved passwords. While not perfect, this can be a good solution. My problem with it is that until I read your email I was not aware of it, and so my computer has been exposed to the problem."
Like me, David didn't realise that the default in Firefox is that passwords are exposed unless you set a master password - and he's a much more qualified geek than I am.
Some people might say that if the feature is there, it solves the problem, but in my mind, if the software doesn't show you that the feature exists, in a way that is instinctively findable, then it is a design flaw, and as such is also a security flaw.
To summarise the findings in this Sunday pre-lunch post:
1. Firefox makes all your passwords visible to anyone who uses your PC, by default.
2. You can disable this option by setting a master password in the Options page.
3. Most people don't know this, so even hardened Firefox users are at risk.
4. Google Chrome doesn't actually have a master password option, so there's a fundamental flaw in Chrome that compromises your passwords (more here).
5. Thanks to those who have written in!
Now go set a master password on your Firefox: Tools --> Options --> Security Tab --> Use Master Password.
What do I do if I have a Virus? (Virus Removal and Virus Protection)
What do I do if I have a Virus? (Virus Removal and Protection)
This article covers what to do if you have a virus, or suspect you have a virus on your computer.
THE CAUSE
You are usually vulnerable to a virus under the following conditions:
1. You have virus protection on your computer, but it is not up-to-date.
2. You have virus protection on your computer, but the virus got through anyway.
3. You have no virus protection at all.
THE SYMPTOMS
Your computer is behaving strangely or in an unexpected way, for example files disappear or become corrupted, your email program seems to be sending emails but you don't actually see anything being sent or your Internet browser keeps redirecting to websites that you didn't want to go to. There a re many other possible symptoms, but in most cases you will notice that something is wrong.
For all of the above, there are perfectly reasonable explanations that may not be a virus, such as hardware and software malfunctions, but they could also be the result of your system being infected, so it is wise and prudent to do something about it, bearing in mind that you can do so for free.
WHAT TO DO IF YOU SUSPECT YOU HAVE A VIRUS ON YOUR COMPUTER
Disclaimer: These steps would help in most cases, but if your system is so badly damaged that it is beyond repair, the following steps may be too late, and some of your data may be lost. You follow them at your own risk. Then again, if you have a virus on your machine, you probably need to do something about it anyway.
If you already have virus protection on your computer:
-
a. Make sure it is up-to-date and in licence. If it has expired and you no longer have virus updates, then it is as good as not being there at all. Either renew your licence and scan your computer for viruses, or uninstall it and follow the steps below.
-
b. Make sure you do not have more than one virus protection program on your computer. Having more than one provides less, not more, protection. Virus protection programs clash with each other and are likely to reduce your protection. If necessary uninstall the surplus virus programs (but make sure you keep the one that still has an update subscription, if you have one).
NOW FOR VIRUS SCANNING
My approach uses three sets of tools to ensure that if you do have a virus, it is detected and removed:
-
b. Now download and run the free virus tool from McAfee, stinger.
-
c. Finally download and runAd Aware on your machine. The free version will do. This will check to see that you do not have "spyware" on your computer. Nasty programs that send information about you to their creators, or change your settings to serve you unwanted commercial advertising.
Important note: The above programs tend to detect "tracking cookies" as a "threat". It is likely that quite a few of those would be found on any computer. Though unwanted, they are NOT the risk that is causing you problems. Remove them when asked, but if they are the only thing your scans have found, then your system is very unlikely to have a virus on it.
AND FINALLY - PROTECT YOURSELF FROM FUTURE ATTACKS
By this stage you are likely to know if your computer has indeed had a virus. The scans would have revealed it, and helped you fix the problem. Now is the time to think about protecting your computer longer term, by installing a virus protection program that will reside on your PC and protect it from new threats.
WHICH VIRUS PROTECTION PRODUCT SHOULD I GET?
There are many commercial products out there, I hear good things about Kaspersky Internet Security, so I'm including their promo banner in this post below.
UK users looking for an industry standard virus protection product can try Kaspersky Lab's UK website
uStarMeStar – and the ultimate stupidity test from “ustarmestar.com”
uStarMeStar - The ultimate stupidity test (uStarMeStar.com)
Note: zarbydoof.com and Defpics.com operate on the same principle. And all of these sites have hit the top of searched-for terms recently.
You may have received a spam message from ustarmestar asking you to visit it and see pictures of you, uploaded to uStarMeStar site. You don't recall uploading them, but curiosity and vanity get the better of you and you go to ustarmestar.com. How did they really get your name? Well, the mystery is solved as soon as you get to the site, and it asks you to enter the name of the friend who referred you. You don't know what to do, you enter the name of a random friend - they are the next victim! Worse still, you enter your own email and password, which may allow the site to access your Myspace site or email account and send messages to all your friends.
Another possibility is that a real friend of yours referred you to ustarmestar. You should give them a piece of your mind, as will become apparent shortly. They weren’t being very clever.
So here is how it works:
uStarMeStar - first screen:
It asks for the email and full name of the person who referred you
It then asks you to enter a password: you do (or you can just skip this stage by clicking submit), and proceed to a page that asks you how you found out about the uStarMeStar site. It gives you a list of email services.
Then it says - "Final step! Verify your mobile phone number to ensure a proper match", and this is where the real nastiness stars. You are asked for lots of personal information under the pretence of having to match your details:
By filling this in, you will be giving consent to a company called Freelotto to spam you. The terms state that in return for joining a lottery dishing out prizes, you will be asked to receive promotional emails and view advertising on the company's website.
Note that some variations of this site urge you to sign up with "offers" or "deals" for any number of other services, but the principle is always the same.
Finally, after you close this window you get a screen saying:
And then this:
At the bottom of the monkey picture, it asks you to forward this "cute" joke to all your friends.
But uStarMeStar isn't cute. It is a spam campaign that gets you to sign up with the "free lottery" or other promotional sites under false pretences, and gets you to submit a lot of personal information, including your email address and password (dangerous).
Perhaps you should send this article to all your friends instead... In fact, at the speed that uStarMeStar is spreading on MySpace, your friends will be grateful if you did warn them...
Yahoo virus / malware report – what to do if you get this (June 08)
Yahoo virus / malware report is a false positive (Avast)
Yahoo virus and malware reports from around the globe were found to be a false positive, captured by anti-virus program “Avast!”.
Concerned users were reporting the following message when they accessed yahoo.com:
“A virus was found!”
Malware name: VBS:malware-gen
Malware type: Virus/Worm
Avast was quick to inform users on its support forums that this was a false alarm with the message: Re: Yahoo.com Infected with Malware-Gen ??
Really false alarm. Fixed in the internal build, will be fixed in next vps release.
If you get a virus found alert on yahoo sites and you have Avast anti-virus software installed, make sure you update your software to the latest version. You should be able to do so from the program interface direct. If this does not work, go to http://www.avast.com/eng/updates.html and update your Avast software manually.
Photobucket Hacked – Latest Updates
MOST CURRENT - 20 June 08 14.15 GMT:
Things seem to have stabilised as the corrected dns settings filtered out across the web. There are still a small number of users accessing the instructions on what to do to get onto Photobucket, of which some would be due to local caches.
So I guess it's almost situation normal! Have a good weekend, and keep your images safe...
PREVIOUS UPDATE:
19 June 08, 22.15 GMT: There are still quite a few reports from all over the globe of Photobucket not working. Some users are reporting that they are still getting a holding page. The search volumes of people coming to this blog to try and resolve the problem have not diminished since yesterday.
It's interesting that I can actually tell from the logs to this website users of which ISP's still can't access Photobucket.
For example, the article about what to do if you still don't have access to Photobucket is frequented the most by users from two US ISPs:
Comcast (USA), and
Road Runner (USA)
I'm also getting visitors to this article from other places like:
Speedy Net (Peru)
AT&T/SBC (USA)
Centurytel (USA)
Wanadoo (Holland)
Planet (Holland)
Direct-adsl (Holland)
Bredbandsbolaget (Sweden)
SCRTC (USA)
Time Warner Telecom (USA)
Opticon (Hungary)
BCC Net (Delta, British Columbia, Canada)
Dodo (Australia)
== many others ==
But Comcast and Road Runner are miles ahead of everyone else in the numbers of users suffering from this problem. If you are their users - talk to them. Explain that they need to force a dns refresh.
Apparently the (alleged) Turkish hackers group used an account on the servers of Bulgarian Hosting company Zettahost, causing all affected Photobucket traffic to redirect to it. Zettahost took the hackers' page down, and put up an explanation instead. And, indeed, some users are still reporting that they are getting the Zettahost page, when trying to access Photobucket.
Two things have compounded the problem:
a. Photobucket has not been posting any updates on their site, so users don't know what's going on. Their latest corporate blog entry is from June 12 and is entitled: "We're the best photo sharing site, so vote for us!" The latest press release is from May 14th. As of now there is still no official information from Photobucket about the incident.
b. Although it was very thoughtful of Zettahost to put up an explanatory message on the website that users were redirected to (the website that users got instead of Photobucket), the message was obviously written by someone who is a non-native speaker of English. As a result of the awkward grammar, some users thought it couldn’t have been written by a real company, and that this was still a site controlled by hackers.
The message goes:
================================================
IMPORTANT! Photobucket.com problem read here:
Last night Photobucket.com DNS at register.com was hacked by malicious people that are trying to compromise our business!
We are in no way affiliated with such bad deeds and cooperate with photobucket in capturing these individuals.
They have pointed the domain photobucket.com to an account hosted on our systems!
We have blocked that and photobucked techs have restored the domain pointing to its original location!
ALL account information and pictures on photobucket.com are OK, please have patience!
Unfortunately the complete DNS replication usually takes 24-48 hours and during this time caches DNS records might still point to us!
The normal operation of Photobucket is restored and as soon as the replication is complete there should be no further such issues!
We would like to emphasize that we are in now way responsible for what happens with photobucket and all users bumping across our systems!
We are a legitimate web hosting company operating since 2003 and in no way tolerate such hacking attempts!
If you have any questions please do not hesitate to contact us at abuse@zettahost.com!
Thanks for your patience and understanding!
================================================
It looks like a waiting game now…
Bookmark this page or subscribe to the "That Danny!" blog to follow updates.
============================================
MORE PHOTOBUCKET INFORMATION:
For the background to this story - go here.
============================================
Photobucket hacked – and how not to handle your customers when you get hacked!
Above: Photobucket down - site as seen by some users yesterday.
Photobucket was hacked yesterday, using what seems like a dns hack*
*see "what is a DNS hack?" at the bottom of this post.
Because the Photobucket outage was dns based, it meant that some people could still access the site, whilst others either got a hackers message, or a completely different website.
Users on discussion boards started debating the hacking with headlines like: "Was Photobucket site hacked?", "Photobucket hacked!" and "!!!Photobucket.com Has Been Hacked!!!"... you get the picture. In other words, it was all over the Net, with screenshot evidence and some genuine concern from users about the ability of Photobucket to keep their content and payment details safe.
What concerns me most about this story isn't actually the hack itself. What I find worrying is that Photobucket didn't put their hands up and say: "yes, we were hacked, Photobucket was down" or "yes, we suffered a dns hack!" or even, "it appears that Photobucket suffered a dns hack, we are looking into it and will come back to you as soon as we know more".
Instead what Photobucket did was:
a. say nothing on their blog.
b. say nothing on their site.
c. When users started discussing this on Photobucket's own support forums, their admin came back with this:
"On Tuesday afternoon, some users that typed in the Photobucket.com URL were temporarily redirected to an incorrect page due to an error in our DNS hosting services. The error was fixed within an hour of its discovery, but due to the nature of the problem, some users will not have access to Photobucket for a few hours as the fix rolls out. It is important to note
that only a portion of Photobucket users encountered the problem and that no
Photobucket content, password information or other personal information was
affected by the redirect. "
"due to an error in our DNS hosting services."? An error, as in a technical error? One that happened to redirect users to a message from a Turkish hacker?
This is very old-school: 'let's not admit anything and hope for it to go away'. The problem is that on the Internet, you can't use these sort of tactics anymore. Users have become more savvy, and they expect the kind of openness that Jeff Jarvis demanded from Dell, during his "Dell Hell" experience.
The key message here is: if you put your hands up and say - this is what went wrong, and here's what we're doing to fix it, users will trust you. If you don't tell the truth and your customers suss you out, they will rightfully ask: 'what else are they hiding from us?' Would I know if my details ever got compromised? Why should I trust this company?
It's still early hours - Photobucket, you could still issue a statement and tell us what has actually happened. Why was Photbucket down? Leave it longer, and your users might not be as forgiving.
UPDATE: Some two days have passed since this started, and still nothing official on the company's website, nothing on its blog and nothing in the press area.
Still not able to access Photobucket? Click here for some help.
============================================
What is a DNS hack? A dns hack alters where your computer browser goes when you type in an Internet address. Every web address (like www.thatdanny.com) has a corresponding number like 66.118.156.62 which is its real address (like a telephone number). When you enter a URL, your browser goes to a directory (called dns-"domain name server"), which tells it what the number of the domain is, so that it can find and display it. Thus, if you can change an entry in the dns directory by hacking into it, you can cause users to go to a completely different website. This is what appears to have happened with Photobucket.
============================================
MORE PHOTOBUCKET INFORMATION:
For the latest updates - go here.
============================================