The Anatomy of an E-Mail Hack

How Do E-Mail Viruses Spread? How Should You Protect Yourself?


July 7, 2010—

If only inboxes came with a warning label.

Delivery notices from the post office, messages from out-of-touch friends and headlines from seasonal sporting events look innocent enough when they arrive in emailform.

But they all can bear malicious links ready to unleash computer-enabled chaos with just a single click.

Most of us have received the horrified e-mail: "My e-mail was hacked!!! I'm so sorry!" Some of us have even sent one ourselves. But how exactly do e-mail viruses spread? And what should you do if one ensnares you?

"The goal of a computer virus, really, is to self-propagate," said Aaron Higbee, chief technology officer of the New York-based computer security firm Intrepidus Group. "You have to look at the motivation of the people these days and, most of the time, it's money."

Written by a programmer or purchased by a criminal, an e-mail virus is a piece of computer code transmitted via email and intended to run on any computer.

Sometimes, the code is embedded in an attachment and installed after the victim opens it up. But increasingly, Higbee said, the code is installed when the victim clicks on a Web link and is directed to an infected site.

Hackers Want to Turn Your Computer Into a Zombie

Once it gets its hooks into your computer, the virus can scan word documents, spreadsheets and address books, on the prowl for other active e-mail addresses to target.

"Usually, that initial attack is just to set-up and maintain access. They just want to turn your computer into an infected bot that just waits for instructions," Higbee said.

Without your knowledge, he said, a hacker could use your so-called "zombie computer" as part of a greater network of machines to do their nefarious bidding.

Some hackers could sell or rent time with your computer, others might install code that logs keystrokes and steals passwords so that when you go to your online banking site, it learns how to sign in as you to siphon money out of your account.

For some victims, the telltale sign of a computer hijack is when the confused e-mail arrives from an estranged ex.

But for most, Higbee said, "The bounceback [e-mails] will usually be the first clue that the computer is infected."

First Clue of a Virus: Bounceback E-Mails From People You Didn't E-Mail

If you start seeing messages letting you know that e-mails you didn't send didn't reach their intended recipients, it's time to start making sure your anti-virus software is installed and up-to-date, he said.

While many computer users might assume they're safe because they installed anti-virus safe once upon a time, Higbee said that installing software once isn't necessarily enough.

"A lot of people will have something that comes with the computer that updates for 30 days or one year, but once it expires it's no longer effective," he said. "First make sure that it's running ... and your computer is getting the updates."

If the software has lapsed, he advised installing antivirus software from a full-service company that offers free updates with the program. If the virus is still present after running virus removal and scanning programs, he said you might have to reload the entire the system.

After e-mailing everyone in your address book and letting them know about the breach, he said you should be good to go.

Sam Masiello, director of messaging security research at McAfee, said that though viruses no longer destroy computers, they can still wreak havoc on a person's life in other ways.

E-Mail Attacks Contribute to Identity Theft

"It can cause a lot of trouble from an identity theft perspective," he said. According to the Internet Crime Complaints Center, he said, individual fraud cases are up about 22 percent, from about 285,000 cases in 2008 to 336,000 cases in 2009. While not all of those cases are e-mail-related, he said they comprise a substantial chunk of the total.

"There's a lot of hassle from a personal perspective," not only in terms of fraud but also in terms of the emotional toll of unwittingly reaching out to people with whom you're no longer in contact, he said.

"If you have ex-boyfriends' and girlfriends' addresses, you could be sending malicious email to exes [and] others you don't want to be involved with anymore," he said.

If you want to keep your computer and personal lives free of complications, experts say the most important piece of advice is to read your electronic mail with a healthy dose of skepticism.

Keep Your Guard Up When You Read E-Mail

"What arrives in your inbox isn't really that much more secure than what arrives in your mailbox," said Richard Wang, U.S. manager for the Burlington, Mass. security firm SophosLabs. "You should treat it with the same sort of skepticism that you treat whatever arrives in your mailbox every day."

Some of the more prevalent e-mail viruses circulating these days are masked in messages intended to pique your interest, he said.

One common virus is carried in an e-mail purporting to be from the U.S. Postal Service or a delivery company alerting you to a package delivery. Another popular virus tempts victims with an e-mail claiming to be from a job applicant.

But he warned, unless you're sure of the sender, it's best to not let down your guard, especially since it's estimated that cybercriminals generate about 80,000 new malicious threats every day.

"One thing to remember is curiosity killed the cat," he said.