I recently had an unpleasant experience that was shared with all of my e-mail correspondents (my apologies).
Somehow one of my e-mail accounts was compromised and many of my contacts received spam mail from “me.” I still don’t know quite how it happened. I’m fairly security conscious, but not perfect. One error I made was I hadn’t changed the password on my e-mail account for a long time. The second, larger, error was using the same general purpose password on that account that I use on an assortment of non-financial accounts. The third, and also pretty big error, was that the password itself wasn’t very good—a dictionary word combined with a series of numerals. Bad.
I’ve since remediated those errors and hope that has put an end to this particular nastiness.
While I’m up here talking, I thought I’d share some very contemporary news. The Zeus Trojan—a very popular bit of malware, is currently being distributed via fake iTunes receipts (http://www.scmagazine.com/latest-zeus-attack-propagated-via-fake-itunes-receipt/article/180405/). It looks like a genuine iTunes receipt, appears to have been sent by Apple, but the dollar amount is huge. You think—-what the heck is this??? Conveniently, there is a link included that you can click on if you have questions or concerns about the billing. You guessed it, the link takes you to a series of locations, eventually prompting you to download Adobe Flash Player. Are you getting worried? You should be.
You’re tired, you want to get on with business, Adobe continually pesters you to download updates…you click on it.
Zeus is now on your PC. The hot craze in Zeus payloads right now (http://www.scmagazine.com/zeus-botnet-targeting-macys-nordstrom-account-holders/article/192509/) launches a pop-up when you log into your Macy’s or Nordstrom’s account. The pop-up warns you that: “In order to provide you with extra security, we occasionally need to ask for additional information when you access your account online. Please enter the information below to continue.”
And then it asks for your credit card number, expiration date, security code, SSN, mother’s maiden name, date of birth…boy are you in trouble now.
The moral of this story, if there is one—keep your OS up to date (Microsoft has issued a patch that can detect and remove zeus), be careful with what sites you visit, and be very very careful with what downloads you authorize. (I’d go into your control panel, select User Accounts, and create a user account that is NOT an administrator—use that account for all your day-day computer use. That will disable the ability to install many types of SW in that account, happily, including many types of malware.)
For those of you who are do-it-yourselfers, there are free kits readily available in certain places so that you can add your own malicious payload to the zeus transport and distribute it for fun and profit.