Many early Internet users had AOL e-mail addresses at one time or another -- and some still have active accounts they rarely, if ever, use. Considering the rise of AOL-related zombie spam this week, it may be time to delete those old AOL e-mail accounts.
AOL on Monday admitted it’s investigating a security incident that involved “unauthorized access” to its networks and systems. In other words, the ISP was hacked. The company is working with forensic experts and federal authorities to investigate the incident and determine how cybercriminals were able to steal the personal information of its e-mail account holders.
“This information included AOL users' e-mail addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information,” the company said in a statement. “We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2 percent of our e-mail accounts.”
Who’s Behind the Zombie Spam
We caught up with Andrew Conway, a research analyst at messaging protection firm Cloudmark, to get his take on the zombie spam fallout. He told us there are two or three different groups involved in monetizing the zombie spam. One group is known as Com Spammers.
“The Com Spammers currently have three forms of monetization -- diet pills, miracle skin cream, and a pernicious work from home scam that involves extracting larger and larger payments for training and services based on the promise of future riches,” Conway said.
“Similarly, if you order the diet pills, you will find yourself signed up for a monthly purchase on your credit card, which is very hard to cancel. We estimate that the revenue generated by this group is millions of dollars a year. They are spending $50,000 to a $100,000 a year in domain registrations alone,” he added.
it appears one of the Com Spammers accessed information on a number of AOL accounts and started sending out high volumes of spam about two weeks ago, Conway said. The zombie spam used the “from” address of the hacked account and sent the spam to everyone in the victim’s address book.
Where Does DMARC Fit In?
Conway explained that there are two standards that have long been available to allow senders to digitally sign an e-mail message -- and guarantee it was actually sent by the account holder. However, he added, there was no standard about what to do if the message was unsigned or if the signature was invalid until DMARC (Domain-based Message Authentication, Reporting and Conformance) came along in 2012.
The DMARC standard allows the domain owner to use a DNS record to specify exactly how he would like unsigned or forged e-mails with his domain in the “from” address to be treated, Conway said. Unfortunately for end users, not all e-mail is tested with DMARC and large Web mail providers at first were slow to use it. AOL just changed its DMARC policy to “reject,” which better protects e-mail addresses on its system from unauthorized use. Conway uses Yahoo as an example of how DMARC helps.
“There are legitimate reasons why someone might use a Yahoo mail address, say, but not use Yahoo for delivery, the most common ones being legitimate bulk mailings by an e-mail service provider or traffic through mailing lists,” Conway said.
“However, there are alternative methods for dealing with both of those cases, and three weeks ago Yahoo decided that e-mail with forged Yahoo headers was enough of a problem that they would change their DMARC settings to request deletion of unsigned mail with a Yahoo from address," he said. "In the three weeks since this change, Cloudmark has seen a 30 percent reduction in spam with Yahoo headers, compared with the prior three weeks, so it is clear that this was a good decision.”