The Melissa Virus is malware that was was deployed in late March of 1999. A programmer by the name of David Lee Smith took over an America Online (AOL) account and used that account to post a file on an Internet newsgroup. The posting was advertising free login credentials to adult content websites, using the file as bait. Once the users on the website downloaded and opened the file, a virus was deployed onto their computer. The virus hacked into user’s Microsoft Outlook account and sent emails with the same malicious file to the first 50 contacts in the contact list. This was one of the first big attacks that caught people’s attention, and one of the first real phishing attacks. This attack was a harbinger of our online future as today we continue to be plagued by even more sophisticated social engineering and phishing attacks.
As an SMB Owner, what does this mean for me?
The Melissa virus cost companies millions of dollars in damages. As a business owner, make sure your company’s cybersecurity program includes the following protections:
- Train your employees, have a robust awareness program in place to train on how to spot and avoid email based phishing attacks, social engineering, and many other modern hacker attack methods.
- Govern your employees with policies on Information Handling, Acceptable Use of Computers, and Passwords at a minimum.
- Have a Risk Assessment performed on your company to understand the potential threats and vulnerabilities you face and then once you decide on a budget, create a remediation plan to begin reducing your risks to an acceptable level.
- Test your employees with Phishing attacks at least quarterly, preferably more often.
- Ensure you have technical protections in place to protect you when your training and governance fails you and employees click on a hacker attack. Antivirus, SPAM filtering, removing Administrator Rights to your windows desktops, and deploying a Password Manager are all strong starting activities for low cybersecurity maturity companies. As you mature you will need to add additional technical solutions to improve your protections.
- Finally, this specific virus attack taught us not to trust Microsoft VB Scripts. Later viruses exploited Macro capabilities in MS office documents. As a consequence, many companies now filter out attachments that contain both VB scripts and Macros to eliminate Melissa type risks. Most AV companies and products now protect against these attacks.
Related Reading: Sextortion Email Scam: Don’t Allow Yourself To Be Victimized