In 1999, the internet seemed like a more innocent place. Few of us were aware of the risks associated with logging on. But then the Melissa virus came along and opened our eyes.
Reportedly named after a Florida stripper, the Melissa virus was created by programmer David Lee Smith. On March 26, 1999, he used an AOL account to post a Word doc in an “alt.sex” newsgroup. The Word doc purported to contain passwords for adult websites, but in reality, it contained the Melissa virus macro. Once launched, Melissa used the computer’s Outlook installation to email the first 50 addresses in the user’s address book.
These users received a Word attachment, along with powerful social engineering in the form of this subject line: “Here is the document you requested … don’t show anyone else ;-).” Because this email seemingly came from someone in the user’s address book, approximately 1 million email users fell for it, shutting down networks at more than 300 government agencies and corporations, including Microsoft.
The Melissa #virus disguised itself as an email from someone in the user’s address book, fooling about 1 million users and shutting down networks of over 300 government agencies and corporations. #EmailSecurity
Stopping the Melissa virus
Working in collaboration, the FBI, New Jersey law enforcement and AOL quickly pinpointed Smith as the source of the virus, and in 2002, he was sentenced to two years in prison and fined $5,000. In his plea deal, Smith acknowledged that Melissa was a “colossal mistake” that had caused an estimated $80 million in damage.
Melissa’s havoc did include a silver lining: increased awareness of cybersecurity risks. Not even a month after Melissa spread, Keith A. Rhodes—technical director for the U.S. General Accounting Office’s Computers and Telecommunications Accounting and Information Management Division—testified before Congress and listed five lessons learned from Melissa: how quickly viruses can spread, how hard viruses are to trace, how easy software can be exploited, a current lack of government process for reporting on and analyzing cybercrime, and the importance of educating users about malware and protecting computers from it.
Photo: Gorodenkoff / Shutterstock