Go Premium for a chance to win a PS4. Enter to Win


SPAM and Hijacked Outlook Contacts

Posted on 2010-11-28
Medium Priority
Last Modified: 2012-05-10
I recently began getting notices from some of my Outlook contacts that they have been contacted by "ME" via email with a link (one example of the link is:  http://bogdan.110mb.com/html.php).  This has happened several times, each time with a different "selection" from my Contacts list, and always with a link that ends in "php".  I have not followed the link fearing it is malware, and have notified everyone in my list to avoid opening attachments or following links UNLESS they come with a specific, non-generic cover note.  However, now that this is continuing, I am wondering if there is a way to stop it without cancelling my long-term email account.  I have run several scans of my system, and there doesn't appear to be anything ON my system.  Advice?



Question by:philsimmons
LVL 30

Assisted Solution

by:Britt Thompson
Britt Thompson earned 400 total points
ID: 34226930
You may have a rootkit or someone may be spoofing your email address or may have hacked into your email account. First, change your email password. Second, run scans with ComboFix (http://www.bleepingcomputer.com/download/anti-virus/combofix), Malwarebytes (http://www.malwarebytes.org/) and Hitman Pro (http://www.surfright.nl/en/downloads). Hitman Pro gets rid of rootkits that nothing else can touch.

Accepted Solution

ken2421 earned 800 total points
ID: 34227094
LVL 11

Assisted Solution

ocanada_techguy earned 800 total points
ID: 34230878
Change your passwords.
Do you use this email account for Facebook?  A a rule use different passwords for facebook and the email account associated with facebook.  Why?  Because rogue apps on FB will sometimes fool one into giving their credentials and then the first thing the rogue developers do is try that same password and email address to see if they can get in the email.
A similar but different phish that's a classic is websites that entice people to provide their email and password to find out who has them blocked on messenger or some other seemingly very useful and appealing but totally BS offer.

This is "social engineering".  Another bit of social engineering is they feel as though people are more likely to follow links and open their junk if it appears to come from somebody you know as opposed to a complete stranger.  Therefore what they often do, is once they get on someone's machine or get into someone's email, they look at all the email messages of the past, and then use the email addressesfoud in the messages as to who to pretend to be from and who to send to.

Example: among all the email messages there is aemail that was forwarded to B, C, D, E, and F, from you A, and a bit further in the body of the message it showsit was sent to you A, along with P, Q, R, S, T from original sender Z.  Well, then the spammers send a spam A to B, D to A, S to Z, etc and so on, figuring these people "know" each other.

So you see, it might be something bad on your computer, or it might not be "on" your computer at all, it might be a website that you disclosed your credential to, or it might be a friend or aquaintance's email that was actually compromised and now it pretends to be all that person's friends.

By the way, this doesn't have to be people doing this, they write rogue programs to do it.  "bots"  That is what 90% of hijack virus spyware is used for, to try to capture your passwords, or get into your content, or glean your online banking information, or to hijack your computer and use it as a phony email server to send or be a relay point to send spam via.

Another big one is to get into the address book or online contacts.  Using Outlook are you accessing this email account as a hotmail, yahoo, or gmail account that simultaneously offers webhosted email?  Something else to check if it is a hotmail (aka Windows Live) is some of the latest hijack bots are also going into your account and deleting contacts and emails.  In hotmail on the menu Contacts> Manage contacts you can now undelete any contacts deleted in the last 30 days.  If they had deleted all of your emails, or most of them, you'd have to contact a Windows Live technician via the Windows Live forum fairly quickly, preferably within 24 hrs to a week, and they might be able to restore your email account contents.

If they are "spoofing" your account, what that means is they are sending email from a completely different email server but in the "from" field they are pretending to be you, and whatever different email server they are using for this has lowsy security or is phony and allows that to happen.  There's not much you can do about that, but luckily suchemailusuallygets directed to peoples Junk folder as coming from suspect or blacklisted sources.

"Good" email servers now make sure that one signs on with correct credentials and are a liegitimate user of that email server before allowing them to send.   That is why if the bad hacking hijack scripts and robots actually got into your actual account their spam email will be sent more succesfully.

If you can examine the full header information of the spam emails that some of your friends are receiving supposedly from  you, with a little skill one can figure out what email servers the message was routed through and what original IP address the message was sent from.

If someone forwards you at least two of them at once as an attachment (because a traditional normal forward or reply strips the header), then you should be able to open them and look at their full headers.

IF for instance, the message was routed from your hotmail through nothing but hotmail servers as its origin, well that would be evidence that your actual account was actually compromised.
On the other hand if it is going through bad or phony servers, best thing we all can do is identify it as junk, so the good servers and filters will learn, which is just a click away in hotmail, yahoo or gmail.

Unfortunately once they've got those email addresses in their list(s), they'll continue to try to send to them.

You want to make it difficult to use yours, and be fairly certain your system is not still compromised (using anti-spyware anti-malware anti-virus techniques already given by experts above), AND you most definitely want to be certain that your accounts are secured.

Author Comment

ID: 34232385
Together these comments formed the most thorough (and, hopefully, most effective) solution I've ever received.  THANKS !!

Expert Comment

ID: 35319631
When I start outlook up, it starts sending emails to my contacts.  I have downloaded and installed all of this stuff, and NOTHING is finding anything.

This must be something new, any ideas?

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question