In early May of 2000, twenty-five years ago, some people received an email with the message: “kindly check the attached LOVELETTER coming from me!”
Within a few days, tens of millions of Windows computers worldwide were infected—reportedly including ones inside the Pentagon and the UK Parliament—causing billions of dollars’ worth of damage.
This is the basic story of the ILOVEYOU computer worm, also known as the Love Bug, and it is one of the earliest examples of malware that caused significant damage on the internet. In 2012, the Smithsonian Magazine ranked ILOVEYOU the tenth most destructive computer virus ever, though things have certainly escalated since then.
From Manila to the world, with love
Nearly half of all people alive today weren’t born yet when 23-year-old Filipino college student Onel de Guzman unleashed the ILOVEYOU worm to the world. And it wasn’t because Onel wanted to become insanely rich, make a political statement, or upend the world’s economy—he simply wanted to steal some internet access passwords (this was the age of dial-up internet) because he was a struggling computer science student at the Makati campus of AMA Computer College.
Onel previously had the idea for a script that would steal passwords. The problem was figuring out how to make that script run on many computers. He exploited a feature of Windows (some say it could be a bug) where if the user clicks on the script, Windows would automatically run it.
So Onel hit on the brilliant idea to tap into people’s emotions by sending an innocuous love letter via email. He then disguised the script as a text file attachment by naming it as LOVE-LETTER-FOR-YOU.TXT.vbs. In Windows’ default setting, file extensions like “.vbs” are hidden so the attached file would appear to be an ordinary text file. When the lovelorn user opens it, Windows would then run the script wreaking havoc.
Here’s how the script worked.
First, it copies itself into various places on the computer so that it would automatically run at startup.
Then the script accesses the victim’s address book and sends a copy of itself by email to all contacts, thus ensuring that the worm propagates.
The worm then searches for JPEG, Microsoft Word, and MP3 files in the system and overwrites them with the same script so that if the user opens them, the script would run again.
Finally, the script steals any passwords it could find and sends them to email addresses that Onel controls. This bit is actually what led the NBI, PNP, and the world’s law enforcement to quickly identify him as the culprit within days.
While Onel was pinpointed as the man behind the worm, he wasn’t prosecuted because the Philippines had no law at that time penalizing such behavior. (Republic Act No. 8792, or the E-Commerce Law, eventually became law in June 2000.)
The human factor is the weakest link
No matter how expensive or sophisticated your information security is, everything can be undone by a careless act of a single person.
This is what Onel de Guzman really exploited because the ILOVEYOU worm is not smart or super complex by any means. To be fair, 2000 was still in the early days of the commercial internet age. Google was barely two years old and the big websites like Facebook, Instagram, and YouTube didn’t exist at all. So most people on the web weren’t yet aware of malware like worms and trojan horses. And they certainly didn’t know about social engineering scams like phishing.
But twenty five years after the ILOVEYOU worm, there is no excuse for people not to know about scams and social engineering. So you have to forgive the numerous messages that you receive from your bank reminding you to not open suspicious links and to not give out your OTP codes to anybody, even if they purport to be a bank employee.
Much like how we conduct earthquake drills and prepare for incoming typhoons, the best way to avoid scams and getting hacked is to educate yourself and to learn about the many different ways malcontent actors try to trick you.
But even the best of us can get tricked, like how Troy Hunt, a well-known security expert and operator of the Have I Been Pwned? service, fell victim to a phishing email last March. In this case, more preparations are needed, such as creating and maintaining regular backups of your data and services or procuring insurance on the off chance that you do get scammed.
The best cybersecurity is awareness. If the ILOVEYOU bug taught us anything, it is that love—or curiosity—can be a trap.