Rediff Logo Infotech The Rediff Music Shop Find/Feedback/Site Index
March 30, 1999


r u on icq? Good. Now let me steal your IP and spoof and spam you off the Web. Srikant Sreenivasan

The next time you are on ICQ, watch out! Some techno-nerd somewhere in the world may be making a note of your IP address, opening you wide to all kinds of attacks, including 'bombing' of your system and deletion of files on your hard disk.

Email this story to a friend. If this does not sound bad enough, he could even impersonate you on the ICQ network, making confetti out of painfully nurtured online relationships.

Then there is the familiar experience of being spammed. But with the immediacy of messaging that ICQ offers, spamming takes on a bigger, more irritating meaning.

Yet, ironically, all this does not mean that ICQ is the stupidest thing to put on your computer. Actually, crackers can as easily break and bend your basic vehicle on the Web, the browser.

However, this article dwells only on the hazards of ICQ, not to scare you off the amazing messaging software, but to make you more aware of the dangers online.

ICQ defines 'instant messaging' on the Web. The killer application built by bright young Israeli programmers has been heralded as the next big thing after the Internet browser itself!

But let us not forget that on the Internet, nothing fails like success. As ICQ's user base expands to figures in the vicinity of 30 million, it has begun to attract the attention of crackers. And no programme, however well written, is free from the assault of a worldwide network of crackers.

The programmers of ICQ are aware of the dangers. The 'security and privacy' page on the ICQ site warns 'ICQ is not different from any other Internet tool or service and requires observation of some simple and logical security tools. We would like to state that there is limit to the level of security which can be maintained without installing major security and protection tools.'

Here are some of the attacks on ICQ that are popular with crackers:

  • Spoof identity of a user or impersonate her online.
  • Bomb a user or overwhelm his computer by sending large chunks of data to it.
  • Spam or send instant, unsolicited messages to a huge list of users.
  • Capture the IP address of a user's machine and
  • Add users to your contact list without authorisation.


Every ICQ user is uniquely identified by the ICQ system that involves a UIN or 'universal identification number'.

Ordinarily, when a user sends a message or a file or is chatting, the recipient knows the identity of the sender because ICQ servers inform the recipient of the sender's identity. The servers can do this because they maintain a directory of UINs.

To spoof, all that a hacker has to do is download a utility that will enable him to send off a message on the ICQ network by using someone's UIN. (Links to such utilities are provided at the end of the article).

Think of the implications: Somebody can send your boss an abusive message while spoofing your identity. And this is perhaps the least nasty of the possibilities.


One can bombard a user with junk messages in rapid succession, effectively making it impossible for the user to continue using ICQ, or for that matter, even his computer.

Again, there are simple utilities on the Web, free for download, that make bombing a no-brainer. Simply download this programme, point it at the victim and pull the trigger, in this case, a click on a button saying 'Bomb em'.


If you thought that the ICQ network is for private communication between your friends, think again. Using freely available ICQ hacking tools, unscrupulous people can send mass messages.

These messages will appear even if you have not added the sender to your contact list. The content of such messages range from people marketing their wares to plain offensive messages.

Capture an IP address

The moment you log on to the Internet, the ICQ client in your PC informs the ICQ servers that you are now online.

This makes it possible for the ICQ servers to inform about your online status to your other online friends.

Also, to reduce the delay in ferrying messages between users, the ICQ server informs each online user of the IP addresses of her online friends.

Subsequently, the ICQ client can directly talk to other ICQ clients using the IP address. The ICQ client uses the IP address internally and normally it is not visible to users.

But herein lies another hack. It is possible to obtain the IP address of an online ICQ user using still more ICQ hacking utilities.

Once a user's IP address is known to a hacker, it leaves the user vulnerable for all kinds of attacks. These could range from simple mischief to malicious attacks like DoS or 'denial of service' which involves stuffing the TCP/IP ports of the victim's computer with junk data.

Add users without authorisation

As an ICQ user, you can specify if you would like people to add you to their contact lists with or without your authorisation.

However, it is possible to bypass the need for authorisation and add anybody to your contact list. This again is simply done by using a freely available tool.

But all is not lost for the ICQ community. Here is how you can bang the door in the face of a malicious cracker.

  • Select a difficult, nonsensical password that is a mix of numerals and letters. This policy applies to all passwords, not just those for ICQ.
  • Do not give away your passwords to anybody, even if they claim to work for Mirabilis or AOL. A Mirabilis employee will never ask for such information as specified in their security policy.
  • Never receive files from unknown users. Even when you receive files from your friends, use an antivirus to scan the files.
  • Never send confidential information. If you need to send confidential information, use email and an encryption tool like PGP.
  • Learn and apply each 'security and privacy' feature of ICQ such as the 'ignore list', 'invisible/visible list', 'security level'.
  • Keep yourself posted about the latest hacks and apply the patches for the same.

ICQ is truly the best groupware utility on the Web. Some common sense on the part of its users can keep it that way.

For those ICQ user who are keen on surfing from Fort Knox, we have compiled a list of sites that teach to hack and secure ICQ. These sites are like talking magicians. Once you know the trick, it will not work on you. Believe us:

ICQ hack sites:

Tell us what you think