Where's that virus?
July 1, 2013 8:49 AM Subscribe
Father-in-law's got hacked/virus. He's been sending out one-link emails to all his contacts. I went into his webmail for him and changed his password to something a little more secure - but his contacts aren't stored there (and neither's his sent mail), so it's got to be his machine, right? But I've done the full Deezil and found absolutely nothing. Not a sausage.
So, where can this little nasty be hiding?
He's running 64-bit Windows 7 with an up-to-date Norton AV. His mail client is windows Live Mail.
Could he have fallen victim to a type of phishing that did not involve installing malware, but led him to provide his credentials to a fraudulent login page? Did the spam sending stop when you changed his password?
posted by Inspector.Gadget at 8:56 AM on July 1, 2013
posted by Inspector.Gadget at 8:56 AM on July 1, 2013
Response by poster: All: yes, it's very possible. The one thing that makes me think it's not is the access to his contacts...
posted by monkey closet at 8:59 AM on July 1, 2013
posted by monkey closet at 8:59 AM on July 1, 2013
You don't know that this is confined to his contacts.
posted by Chocolate Pickle at 9:00 AM on July 1, 2013
posted by Chocolate Pickle at 9:00 AM on July 1, 2013
The one thing that makes me think it's not is the access to his contacts...
They could have hacked the webmail, copied all the contacts, then just joe-jobbed them (no need to continue to use the webmail after they had all the email addresses).
posted by EndsOfInvention at 9:06 AM on July 1, 2013
They could have hacked the webmail, copied all the contacts, then just joe-jobbed them (no need to continue to use the webmail after they had all the email addresses).
posted by EndsOfInvention at 9:06 AM on July 1, 2013
They only really need continuing access to the victim's email account if they are doing the kind of scam where they pretend to be the victim (asking for money etc) and thus need to view the replies. In this case if they're sending out links (to online shops or viruses or for phishing or whatever) so they only needed to copy the contacts.
posted by EndsOfInvention at 9:07 AM on July 1, 2013
posted by EndsOfInvention at 9:07 AM on July 1, 2013
"his contacts aren't stored there" -- do you mean he hasn't saved any contacts in his webmail? I imagine that email spammers would pull email addresses from sent messages, if not just any messages in the inbox.
Also, what is his webmail provider?
posted by filthy light thief at 9:21 AM on July 1, 2013 [1 favorite]
Also, what is his webmail provider?
posted by filthy light thief at 9:21 AM on July 1, 2013 [1 favorite]
He may use a different contact list as the preferred contact list on his pc, but may still have contacts in Live webmail, especially a list of people he has sent mail to or received mail from. Change the password again to something that's 12+ characters and secure. Long passwords aren't that hard to type. I'm lazy and add the upper case and non-alpha-numeric characters at the end or the beginning (except on my super-secure MeFi password, of course). Spam can be sent via a different email client, using the Live webmail server, so you won't see the sent mail. Or the spammer can harvest the email addresses he has sent mail to or received mail from, and send mail to them with him as the visible sender, but not the real sender.
posted by theora55 at 11:16 AM on July 1, 2013
posted by theora55 at 11:16 AM on July 1, 2013
How frequently are these single link emails being received by his contacts, and would it be possible to take the suspect machine off grid for 3 to 5 times that interval? If it's no longer networked, and the spam keeps coming, then it's not his machine.
posted by radwolf76 at 2:45 AM on July 3, 2013
posted by radwolf76 at 2:45 AM on July 3, 2013
This thread is closed to new comments.
posted by headspace at 8:56 AM on July 1, 2013