14 DAY TRIAL // Over the past few days, a large number of AOL customers appear to have sent out spammy emails to the people in their address books. The AOL accounts have not been compromised; instead, spammers are relying on spoofing to make it look like the messages come from a trusted person.
This is an interesting campaign that could involve an AOL Mail exploit.
“AOL is taking this step because spammers are sending email that appears to be from valid AOL email addresses. In fact, these emails do not originate from AOL or our customers. Rather, the outgoing addresses are edited by the spammers to make them appear to be legitimate AOL email addresses,” the AOL Mail Team said in a post published on Tuesday.
“By initiating this change, AOL Mail, along with other major email providers will reject these spoofed email messages, rather than deliver them to the recipient's inboxes.”
For the time being, it’s uncertain how the spammers operate, but there are some plausible theories.
First of all, the email accounts from which the spam is sent out have not been hacked. The spammers are simply spoofing the sender’s email address. This is a common practice that allows spammers to send out messages that appear to come from any email address they want.
For example, they can send out an email that appears to come from [email protected] without actually having access to the account in question.
The problem is that the spammers have somehow obtained AOL Mail address books. Brian Alvey, who is also a victim of this operation, believes that the individuals behind this scheme could have used some kind of exploit in AOL’s webmail system to gain access to the information.
“[When] you load [AOL’s] webmail interface your browser makes several calls into AOL for data. One is to login. Another is to load all the messages in your inbox. Another is to load your address book so you can a) see who your friends are and b) easily send them email, auto-completing addresses as you type them,” the expert explained.
“Each of those data calls should have security checks. If there was a way to tell the servers to ‘give me the entire address book for this AOL email account’ that bypassed security, then spammers would have our address books without ever having to guess our passwords or otherwise hack into our accounts.”
Alvey believes that if this isn’t the case, the attackers have somehow obtained the address books “from inside of AOL.”