Page 1 of 1

Hacked email accounts

Posted: Sat Jun 12, 2010 5:44 pm
by russellhltn
Since the first of the month, I've seen 3 different people who've had their email hacked and used to send out a bogus plea for money. That seems like a major jump for a particular type of scam. I'm wondering how the scammers are getting control of the email account. (No, they're not spoofing the address - they are actually getting into the account.)

While I can think of a number of ways it can be done, I'm wondering if anyone has any insight on how this particular campaign is being done.

So far the score is one gmail, one yahoo and one hotmail account. It's also across 3 different email lists.

I've checked my usual sources for tech news stories, but I'm not seeing this one.

Posted: Sat Jun 12, 2010 7:01 pm
by kisaac
RussellHltn wrote:While I can think of a number of ways it can be done, I'm wondering if anyone has any insight on how this particular campaign is being done.
You obviously want a more detailed explanation then I can give, but the fact that it is happening regularly should make everyone realize the "openess" of email.

Two cases:
It happened to my brother-in-law while they were traveling, and I got the bogus email, which I promptly ignored. It was last fall. It appeared real, because it came from his normal email, and the CC emails were all people I knew as family members, and the bogus email said he was in the city I knew he went to.

He is an IT professional, and conjectured that a valid email he sent to one of us from this city was "hi-jacked" in route at some point (not from a wi-fi hotspot) and the fake email was created from it. He was never sure if they actually compromised his account or "spoofed" it, as I think you called it. Either way, the result was almost identical. The big three "free emails" certainly do not give you any guarantee of privacy as they pass your email through the back halls of the internet on it's way to all of the IP's of your family and friends.

Second case, a friend: Email account was actually compromised, password changed, then bogus emails sent to family. Because the email account was now in the hands of the perpetrator, real holders of the account were now locked out, and knew nothing, and responding emails to the account were of course intercepted and responded to as if they were from the family member. I conjecture that it happened similarly as above for my brother-in-law, first an email was "hijacked, or his email address was merely picked off the net on some website or blog, and then his password was "cracked."

I hope your topic helps educate us. If I have your email address and your password, I have your account - and the emails of your friends and family, and maybe much, much more if you have a net mail account- access to the content of all of your sent and saved emails!

Besides my personal passwords, I only know the email passwords of three other people, because I had to help them with computer issues. Two out of those three passwords were their own first names! That would mean that I could guess their passwords merely by my first guess. And my nephew "confessed" to me last week that he had guessed both of his parents passwords, and he is only six years old! He would have told me what they were if I had asked...is it really this easy?

There are far more sophisticated password cracking methods, but maybe its really this easy....

Posted: Sat Jun 12, 2010 7:10 pm
by russellhltn
kisaac wrote:I hope your topic helps educate us. If I have your email address and your password, I have your account - and the emails of your friends and family, and maybe much, much more if you have a net mail account- access to the content of all of your sent and saved emails!
More then that - you have the means to reset the password on various accounts connected to your email.

Posted: Sat Jun 12, 2010 7:25 pm
by kisaac
RussellHltn wrote:More then that - you have the means to reset the password on various accounts connected to your email.
and if gmail, one click to get to your google docs, and your google calendar...

password security

Posted: Sat Jun 26, 2010 6:40 am
by thedunsons
Bottom line with password security is common sense. At the end of the day, if you are targeted by a real 'bad guy', he/she/they probably have the resources to crack your password. Easier than that is finding your info on the web and some lucky/informed guesses at your password recovery questions. Even if you have a very complicated password, your password recovery questions and answers may not be quite so complicated.

You can change your password daily, but how many different "mother's maiden names" do you have?

Posted: Sat Jun 26, 2010 11:16 am
by PNMarkW2
relaxmosphere wrote:You can change your password daily, but how many different "mother's maiden names" do you have?
The security question is an easy backdoor into many accounts, so pick a wrong answer and stick with it so you don't forget the "wrong" answer you gave. Then it can be as complex as you want, but not something anyone could guess and/or research. Use it as a secondary password instead of an answer to a security question.

However, changing your password daily does nothing to improve security, picking good passwords does. The longer a password is in use does not make it less secure. If someone cracks your password, they're going to use it, that's why they cracked it. They aren't going to crack it and wait, changing a perfectly good password only changes a perfectly good password. You might change the lock if you give the key to someone you don't want to get in anymore, but not just because it's been there awhile.

Not hard to replicate

Posted: Thu Aug 26, 2010 2:44 pm
by dpenrod75
1. A Trojan that records keystrokes when it see’s you’re on an e-mail login page
2. It scans for e-mail addresses either from a address book on your hard drive or when you go to your online e-mail account (Scans pages).
3. If the pc has outlook installed and its being used then it’s even easier to do whatever.
4. The Windows and / or Office API! It's amazing what you can do with a few lines of code.

I have seen this many of time but really there are so many ways programmatically that accounts can be hacked that I couldn't possibly list them all here. Trojans typically "listen" for events that suggest an account is already logged in and then begin their work. An already logged in account can either be utilized by a human or a program.

Posted: Thu Oct 07, 2010 8:30 am
by richreid402
The current "scams" I see involve sites (social networking etc.) either requesting your e-mail address and password so they can pull in your contacts automatically or even simply having you sign in using your e-mail address and a password. I would guess there is a large percentage of users that would use the same password for that account as the one that exists on their e-mail account (easier to remember).

"Flicker" and "myLife" are 2 that come to mind that are notorious for using information gathered from e-mail accounts to propogate to unsuspecting users.

As a side note, I am deeply concerned with the additional tools that have been granted to church members through lds.org that there are many many accounts that are not secure because they have given out login ID's and passwords to family and friends or have used common passwords between applications.