The culprits, who like to call themselves hackers, use various methods to pursue users' passwords. AOL and the NCSA cautioned members about one of the more devious methods: sending unsuspecting members programs that will actually "watch" keystrokes and then ship them back to the sender. The sender then reads the keystrokes to figure out the member's password.
America Online has long been a target of con artists and password thieves, who like seniors playing tricks on high-school freshmen, like to prey on AOL members, known for having easy Net access and often their naivet?.
Once someone has a user's password, he or she can do anything from logging on and posting viruses to doing other damage while masquerading as that user. Mostly, however, the person will simply appropriate the account to get free time on the service.
In this case, though, AOL members actually are tricked into downloading malicious programs. Usually the programs are sent as email attachments, promising to perform some spectacular feat such as delivering utilities to the user. Once a user downloads the program, a "Trojan horse," named so because it hides within a larger program and attacks when it is launched, will do its work without the user's knowledge.
That's why users should never download programs from email attachments unless they are sure they know exactly what they are and from where they came. Even then, they should scan each and every attachment with an up-to-date antivirus program.
While Trojan horses are particularly nasty, they aren't the only way people get member passwords. By far, the most popular way to steal passwords is to simply trick users into handing them over, much in the same way a con artist gets people to hand over their money.
AOL members, especially those who frequent chat rooms, are constantly bombarded by people trying to get their passwords. The culprits, who for the most part seem to be teenage boys, call the method "phishing"--in other words, going on a fishing expedition for passwords.
The scenario goes like this: A user is hanging out in a chat room when all of the sudden he or she gets an Instant Message. The person sending the message (called an IM in AOL jargon) claims to be an AOL staffer who supplies some odd reason for needing a member's password.
This is such a common occurrence that almost anyone will get "phished" after some time in a chat room.
In one instance, someone sent the following message: "Hi there. My name is Steve Case and I am the CEO here at AOL. We have misplaced your billing information. Please state your password at this time so we can retrieve your lost billing information. Thank you."
AOL is constantly reminding its members that no one in a legitimate capacity will ever ask for passwords or other information on the service. It even posts a permanent warning in red below the Instant Message box, saying, "Reminder: AOL staff will never ask for your password or billing information."