Hacked email accounts

This forum contains discussions related to keeping families and individuals safe while making use of technology. Acceptable topics would range from how to protect families from Internet predators and online pornography, monitoring and protecting cell phone usage and text messaging, locking unwanted television and movies from various devices, protecting and monitoring computer game usage, and promoting safe Internet and technology use.
russellhltn
Community Administrator
Posts: 20763
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Hacked email accounts

Postby russellhltn » Sat Jun 12, 2010 4:44 pm

Since the first of the month, I've seen 3 different people who've had their email hacked and used to send out a bogus plea for money. That seems like a major jump for a particular type of scam. I'm wondering how the scammers are getting control of the email account. (No, they're not spoofing the address - they are actually getting into the account.)

While I can think of a number of ways it can be done, I'm wondering if anyone has any insight on how this particular campaign is being done.

So far the score is one gmail, one yahoo and one hotmail account. It's also across 3 different email lists.

I've checked my usual sources for tech news stories, but I'm not seeing this one.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

kisaac
Community Moderators
Posts: 1170
Joined: Sun Oct 21, 2007 5:04 am
Location: Utah, united states

Postby kisaac » Sat Jun 12, 2010 6:01 pm

RussellHltn wrote:While I can think of a number of ways it can be done, I'm wondering if anyone has any insight on how this particular campaign is being done.


You obviously want a more detailed explanation then I can give, but the fact that it is happening regularly should make everyone realize the "openess" of email.

Two cases:
It happened to my brother-in-law while they were traveling, and I got the bogus email, which I promptly ignored. It was last fall. It appeared real, because it came from his normal email, and the CC emails were all people I knew as family members, and the bogus email said he was in the city I knew he went to.

He is an IT professional, and conjectured that a valid email he sent to one of us from this city was "hi-jacked" in route at some point (not from a wi-fi hotspot) and the fake email was created from it. He was never sure if they actually compromised his account or "spoofed" it, as I think you called it. Either way, the result was almost identical. The big three "free emails" certainly do not give you any guarantee of privacy as they pass your email through the back halls of the internet on it's way to all of the IP's of your family and friends.

Second case, a friend: Email account was actually compromised, password changed, then bogus emails sent to family. Because the email account was now in the hands of the perpetrator, real holders of the account were now locked out, and knew nothing, and responding emails to the account were of course intercepted and responded to as if they were from the family member. I conjecture that it happened similarly as above for my brother-in-law, first an email was "hijacked, or his email address was merely picked off the net on some website or blog, and then his password was "cracked."

I hope your topic helps educate us. If I have your email address and your password, I have your account - and the emails of your friends and family, and maybe much, much more if you have a net mail account- access to the content of all of your sent and saved emails!

Besides my personal passwords, I only know the email passwords of three other people, because I had to help them with computer issues. Two out of those three passwords were their own first names! That would mean that I could guess their passwords merely by my first guess. And my nephew "confessed" to me last week that he had guessed both of his parents passwords, and he is only six years old! He would have told me what they were if I had asked...is it really this easy?

There are far more sophisticated password cracking methods, but maybe its really this easy....

russellhltn
Community Administrator
Posts: 20763
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sat Jun 12, 2010 6:10 pm

kisaac wrote:I hope your topic helps educate us. If I have your email address and your password, I have your account - and the emails of your friends and family, and maybe much, much more if you have a net mail account- access to the content of all of your sent and saved emails!


More then that - you have the means to reset the password on various accounts connected to your email.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

kisaac
Community Moderators
Posts: 1170
Joined: Sun Oct 21, 2007 5:04 am
Location: Utah, united states

Postby kisaac » Sat Jun 12, 2010 6:25 pm

RussellHltn wrote:More then that - you have the means to reset the password on various accounts connected to your email.


and if gmail, one click to get to your google docs, and your google calendar...

User avatar
thedunsons
New Member
Posts: 21
Joined: Sat Aug 25, 2007 6:07 pm
Location: Washington, DC
Contact:

password security

Postby thedunsons » Sat Jun 26, 2010 5:40 am

Bottom line with password security is common sense. At the end of the day, if you are targeted by a real 'bad guy', he/she/they probably have the resources to crack your password. Easier than that is finding your info on the web and some lucky/informed guesses at your password recovery questions. Even if you have a very complicated password, your password recovery questions and answers may not be quite so complicated.

You can change your password daily, but how many different "mother's maiden names" do you have?
-mike

User avatar
PNMarkW2
Member
Posts: 66
Joined: Thu Jun 11, 2009 1:44 pm
Location: Portland, Oregon, USA
Contact:

Postby PNMarkW2 » Sat Jun 26, 2010 10:16 am

relaxmosphere wrote:You can change your password daily, but how many different "mother's maiden names" do you have?


The security question is an easy backdoor into many accounts, so pick a wrong answer and stick with it so you don't forget the "wrong" answer you gave. Then it can be as complex as you want, but not something anyone could guess and/or research. Use it as a secondary password instead of an answer to a security question.

However, changing your password daily does nothing to improve security, picking good passwords does. The longer a password is in use does not make it less secure. If someone cracks your password, they're going to use it, that's why they cracked it. They aren't going to crack it and wait, changing a perfectly good password only changes a perfectly good password. You might change the lock if you give the key to someone you don't want to get in anymore, but not just because it's been there awhile.
~Mark
Ward Clerk
Colonial Heights Ward
Portland Oregon Stake

-----
"For a list of all the ways technology has failed to improve the quality of life, please press three."
---Alice Kahn

dpenrod75
New Member
Posts: 46
Joined: Wed Jun 23, 2010 5:48 am

Not hard to replicate

Postby dpenrod75 » Thu Aug 26, 2010 1:44 pm

1. A Trojan that records keystrokes when it see’s you’re on an e-mail login page
2. It scans for e-mail addresses either from a address book on your hard drive or when you go to your online e-mail account (Scans pages).
3. If the pc has outlook installed and its being used then it’s even easier to do whatever.
4. The Windows and / or Office API! It's amazing what you can do with a few lines of code.

I have seen this many of time but really there are so many ways programmatically that accounts can be hacked that I couldn't possibly list them all here. Trojans typically "listen" for events that suggest an account is already logged in and then begin their work. An already logged in account can either be utilized by a human or a program.

richreid402
New Member
Posts: 6
Joined: Fri May 29, 2009 4:26 pm
Location: Omaha, Nebraska, USA

Postby richreid402 » Thu Oct 07, 2010 7:30 am

The current "scams" I see involve sites (social networking etc.) either requesting your e-mail address and password so they can pull in your contacts automatically or even simply having you sign in using your e-mail address and a password. I would guess there is a large percentage of users that would use the same password for that account as the one that exists on their e-mail account (easier to remember).

"Flicker" and "myLife" are 2 that come to mind that are notorious for using information gathered from e-mail accounts to propogate to unsuspecting users.

As a side note, I am deeply concerned with the additional tools that have been granted to church members through lds.org that there are many many accounts that are not secure because they have given out login ID's and passwords to family and friends or have used common passwords between applications.


Return to “Family Safety with Technology”

Who is online

Users browsing this forum: No registered users and 1 guest