Hacked

So my wife received a spam from herself. At first I thought it was one of those spams where the “From:” was forged to be the same as the recipient, but a closer look revealed that it was actually from her hotmail to her yahoo account and to another dozen of her friends. Uh-oh.

So what happened? Was this a cross-site request forgery (CSRF) attack? She wasn’t logged into hotmail at the time that the email was sent. However, that doesn’t necessarily mean anything: there have been various CSRF attacks where the account is backdoored to send mail elsewhere, and a subsequent password reminder request could then give the attacker the goods. Or her session could have still been active even though the tab was long gone.

Was it spyware? Windows Defender didn’t find any, and we run XP apps in unprivileged user mode (which is a huge PITA, but that’s another story). It probably was not a dictionary attack, since her password is reasonably strong. It could be the case that her password was simply stolen, possibly from another site where the password was reused.

I’m late to the party, but I imagine CSRF and related attacks are still very under-appreciated at the moment, and that’s particularly worrisome with all of the Web 2.0 applications about. Hotmail should know the score, but who knows. As my mind mulls over the possibilities of such a bug in gmail, and the fact that I have three sessions open in it from various computers at the moment, I’m glad I have nothing of value in my gmail account and still use my own domain with mutt for official email. Stories like this one will only become more common. What if your confidential documents, stored on Google Docs, get surreptitiously emailed to everyone you’ve ever done business with?

So, I guess the moral is: get thee a password generator, and remember to log out of webmail!