Tech Tips

July 12, 2018

How Malware Can Make You Spam Others

For today's Cyber Fu tip, we're learning about personal email use at work. The reasons never to use a personal email address at work, for any work function, keep piling up.

Your email address book makes the workday much easier. When you need to email someone, you just start typing their name in the "To:" field, and their email address pops up. Convenient.

Unless malware steals your address book's contents. Then it becomes a hassle…for everyone in the address book!

Malware Can Steal Your Address Book

A customer recently experienced this problem. This customer had one of our engineer's personal email address in their Address Book. (Used as a test years ago, unknowingly auto-saved.) Then the customer clicked a malware link sent via email. Nothing appeared to they didn't report it.

However, something did happen behind the scenes. A day later, everyone in their address book began receiving spam emails…from our engineer's personal email address!

Recognizing what had happened, we contacted the customer and resolved the issue and before anyone else clicked the spam.

How an Address Book "Hijack" Happens

In cybersecurity lingo, this behavior is called an "address book hijack." It works like this:

  1. You click a link in a malware-infected email.
  2. The webpage at the link installs malware on your computer.
  3. This particular malware contacts a cybercriminal's web server and says, "Hey, I found a whole address book full of email addresses!"
  4. The web server copies all those email addresses off your computer. We call this, 'harvesting.' You don't see any of this happening.
  5. The web server starts sending spam to the harvested email addresses. The spam emails use one of the harvested emails in the "From" field.
    1. The spam isn't actually coming from the person whose email you see…the spammer just wants you to think that. It's called 'email spoofing.'

How to Stop Address Book Hijacks

If your computer suffers an address book hijack, this is what you do:

  1. Notify people in your Address Book. A simple, "That last email wasn't me, don't click the link!" message will do.
  2. Remove the malware. Start with a Malwarebytes scan. If that doesn't work, contact your IT department or consultant.
  3. Clean out your address book. Any email addresses you don't recognize, and/or can't find in your Sent Items? Delete them. Sometimes the malware will insert dummy addresses cybercriminals can use to find you later.

These hijacks tend to burn themselves out after 1 or 2 rounds of spam. Cyberattack-wise they're low-risk. Still, it's better to prevent them…which is easy to do.

  • Run an anti-malware app on every workstation, like Malwarebytes. These can catch & block most hijacks.
  • Run cloud backups. Preserves the data just in case the worst happens.
  • Never use personal email for work purposes! Personal emails don't have as many malware protections built in, making them more susceptible to hijacks.


What are your cybersecurity questions?  Please email us at!