E-mails falsely claiming to be from the IRS are nothing new, especially in tax season. “Phishers” know that posing as the tax collector can lure unwary respondents into revealing their Social Security numbers and other personal information.
But the most recent IRS-related spam—with its attention-grabbing subject line “Notice of Underreported Income”—was more worrisome than most. In fact, some experts described it as the “world’s biggest e-mail virus problem.”
This e-mail contained a dangerous link that could unleash the Zeus trojan, software designed to steal online banking information stored on your home computer. Many individuals and small businesses who clicked on the link found later that funds—in some cases hundreds of thousands of dollars—had been transferred from their accounts to overseas hackers.
But this e-mail also had an unusually broad reach. For a few weeks in September, it accounted for as much as 10 percent of all spam in circulation, according to some estimates. Over all, the IRS hoax may have been sent about 15 billion times a day.
What’s more, your own computer may have been partly responsible.
That’s because this IRS e-mail was distributed via “botnets,” a network that uses home or business computers infected with hidden software to pump out spam.
About 88 percent of all spam—some 150 billion messages a day—is now sent via botnets, according to MessageLabs, the Internet security wing of Symantec, which manufactures Norton antivirus software. Some botnets comprise hundreds of thousands of individual computers, a high-tech zombie army sending spam messages by the millions.
“When bad guys use botnets, they can send out huge volumes of spam mail without having to pay for it” by buying e-mail addresses from brokers, notes Paul Wood, a security analyst with MessageLabs. In some cases, friends and family members in your online address book may receive pitches for phony Viagra or other products.
Besides embarrassment, there’s the risk of identity theft.
“In order to be part of a botnet, malware is installed on a computer that gives the bad guys access to it,” Wood tells the Bulletin Today. “That can also give them access to your computer passwords, online banking accounts, and other sensitive information stored in your machine.”
Where Malware Lurks
Botnet malware is often downloaded by clicking on links to view videos and other “rich media.” Social networking websites, electronic greeting cards and websites promising celebrity photos are popular targets. But increasingly, malware is being planted on legitimate sites such as those for news outlets, says Wood.
It can be hard to tell if your computer is part of a botnet. Look for e-mail messages in your outbox that you didn’t send or incoming e-mails accusing you of sending spam. Malware is a possible suspect if your computer is slower than usual, makes strange noises or won’t run programs that used to operate.
If your computer is infected, a technician may be needed to detect and remove the invader. But there are steps you can take at home to minimize the risk:
* Regularly scan your computer—at least weekly, and ideally daily—with protection software. Keep the latest security “patches” installed. If you don’t know how to adjust settings for automatic updates, contact your software protection provider.
* Activate the protective firewall on your computer or network.
* Disconnect your computer from the Internet when you’re away from it.
* Frequently change your online account passwords, always using ones that are hard to hack.
Sid Kirchheimer is the author of Scam-Proof Your Life (AARP Books/Sterling).