Pile on the protection with a DIY security suite
Although you can never eradicate the threat of malware when probing the web's dark recesses, slapping on as many layers of security as possible will make you less of a target. Here, we show you how to pile on the protection for free.
Secure your webmail to stop scams
Imagine having to explain an email message that asks your friends for money - a message sent from your webmail account.
That's exactly what's happening: scammers are breaking into such accounts and, from those addresses, sending email messages to the victims' entire contact lists. The messages often tout a website or ask for money directly.
It's a new, dastardly twist on an old scam. Crooks have long used harvested addresses in the ‘From:' field on junk email to make messages look realistic. But because antispam measures have been getting better at blocking such spoofed spam, the bad guys are now breaking in and sending email from actual accounts.
Maureen Arnold was hit by such an attack. When she checked her MSN mail one day, she found several warnings about undeliverable messages sent from her account that she hadn't written, along with messages in her Sent box.
The scam email - touting a site selling electronic products - went out to her family and friends. Similar attacks have asked recipients to wire money to a particular account; some have even deleted an account's contact list afterwards.
The attacks underscore an oft-ignored fact: webmail accounts are a major target because they have value. A recent report by the Anti-Phishing Working Group says the most common types of logins stolen by keylogger malware are for financial websites, e-commerce sites and webmail. In addition to hijacking an email account to send out messages, crooks can often glean information that helps them break into a victim's financial accounts.
The first step to protecting your webmail is to keep your PC clean of malware. But this isn't a complete solution: Maureen checked her PC with multiple security scanners after the break-in and found nothing.
Another important step is to assume that any public or borrowed computer that you've used to check your webmail account was infected with a keylogger and that your account login was stolen. Change your password as soon as you can, on a trusted, secure computer.
Jeremiah Grossman of WhiteHat Security identifies another point of entry: crooks often lift webmail account details after breaking into other sites. Many sites require your email address for logging in and, since many of us use the same password to log into several sites, these details are potentially exploitable.
Ensure that you use a unique password for your webmail account. Free tools such as Password Hash can consolidate passwords. Second, when signing up for new accounts, use a ‘disposable' email address - ISPs such as BT offer such a facility. There's a similar feature in the premium Yahoo Mail Plus service (£12 per year). Anonymizer's Nyms service costs a similar amount and works with any email account.
Erik Larkin and Rick Broida contributed to this piece