In Internet years, AOL and its webmail counterpart AOL Mail are beyond ancient at this point. A relic of electronic mail history, the majority of users have long since jumped ship for Gmail or Yahoo.
Yet those who still have accounts with AOL were no doubt unhappy when they discovered last weekend that a slew of old AOL Mail accounts had been hacked to send spam to their friends.
While it’s unclear exactly how many users’ accounts have been compromised at this point, multiple users have complained on Twitter that their accounts – some which naturally have not been used for years – were compromised and used to send spam to other users.
AOL acknowledged the hack late yesterday and pointed out that it’s likely affected users weren’t hacked but spoofed, and that it’s doing everything in its power to correct the issue.
“AOL takes the safety and security of consumers very seriously, and we are actively addressing consumer complaints,” AOL said in a statement Tuesday, “We are working to resolve the issue of account spoofing to keep users and their respective accounts running smoothly and securely.”
As AOL notes, spoofing attacks are basically spam emails that appear to come from the victim but are technically coming from the spammers’ email account and are sent via the spammers’ server.
While spoofing attacks are nothing new this particular campaign appears to have really started picking up steam over the weekend. The hashtag #AOLhacked on Twitter has seen users bemoan the service’s security and others cracking their fair share of jokes since Sunday.
Since there’s a difference between being hacked and being spoofed, there’s nothing users can really do prevent the spammer from continuing to spoof their email accounts. Users can change their passwords and delete their contacts but it doesn’t really matter – the spammer already has a copy of the victim’s address book.
The company’s mail Twitter page, @AOLMailHelp, said it plain and simple yesterday: “Once your account if spoofed, there is nothing else that can be done.”
Some experts, like web designer and programmer Brian Alvey, however are speculating that AOL Mail may have suffered an address book webmail exploit.
“When you load [Yahoo’s] webmail interface your browser makes several calls into AOL for data. One is to login. Another is to load all the messages in your inbox. Another is to load your address book so you can a) see who your friends are and b) easily send them email, auto-completing addresses as you type them,” Alvey wrote in a blog entry last night.
“Each of those data calls should have security checks.”
Alvey surmises that there may not have been a security check like this in place, something that could allow an attacker to bypass security and secure access to users’ address books without being forced to guess passwords or go through the trouble of hacking into the affected accounts.
In the meantime, even though it may not help, it may not hurt for anyone with an old AOL Mail account to change their password and to steer clear from any suspicious looking emails, especially those that direct you to a murky looking link, like the one above.
Provided from: threatpost.