On Monday we opened this discussion about hijacked email accounts, and showed some examples of the phishing tricks that attackers use to get you to reveal your email password. Today we will explore the many useful and profitable exploits that a compromised email account offers a cyber-criminal or other attacker.
I consider email account compromise to be one of the most personally harmful cyber-exploits. When another person has access to your email account, they have access to a treasure trove of information about you.
So just what kind of malicious uses could a comprised email account provide?
- Sending spam – In the past, this was the usual outcome, but not so much any more, because there are more lucrative uses. Spammers get paid a few cents to a few dollars when email recipients click on advertising links in the spam email. Volume is the only way to make this scheme pay off. One way to tell your email account is sending spam is the sudden appearance of a large amount of undeliverable messages, and the possible suspension of your account by your email provider.
- Sending phishing emails – The attacker can use your email address to send phishing emails to other potential victims. This works especially well if the victims are people who know you and are likely to trust messages coming from you. Because they have access to your contact list this is very easy. The recent Google Docs email worm used this method to propagate.
- Email forwarding – With access to your account, I can set up an email forwarding instructions that will send emails to another account, so I can read them with less danger of detection.
- Reconnaissance – When I am living inside your email account, I can read your inbox and sent mail, and learn a lot about you on a very deep level. I can learn where you bank and shop, what social networks you belong to, who you know both personally and professionally, where you work and what you do there. Take a fresh look at your emails with the eyes of a malicious attacker. Scary, huh?
- Access to your contact list – I will have access to your contact list. I can export it as a file to use at a later date, or sell on the Dark Web to criminal groups who build email lists to sell to other cyber-criminals. There are other uses, as we shall see.
- Access to your calendar – I can also view your appointments and travel plans. This information can be useful later to coordinate other exploits while you are out of the office, traveling, or on vacation.
- Impersonation – Now that I know something about you, I can use your account to impersonate you in emails to friends, family, coworkers, and customers. Because these people will tend to trust the source of these emails, most often they go unchallenged by the recipient.
- Password replay – Many people keep it simple, and use the same password, or a similar password to “protect” other online accounts. This tendency to reuse the same password over and over makes it easy for the attacker to try to log in to your other online accounts. They know what accounts to try, because they have been reading your emails.
- Password resets to other accounts – If password reuse fails, the attacker can request a password reset email from your online service providers.
- Answers to your secret questions – With access to these accounts, I can learn the answers you set to the secret questions that are often used in account verification and password reset situations.
- Shopping – I just logged into your Amazon account, and have been buying items with a high resale value. Maybe I logged into your eBay account to sell these items. Maybe I logged into your PayPal account to transfer those funds another bank account I control.
- Social media account hijacking – Other desirable targets are your Facebook, LinkedIn, Google+, Instagram, WhatsApp, Twitter, and other networks. Impersonation can again be used to extend the attack to other victims. Harvesting contacts can also be useful to an attacker.
- Wire transfer fraud – This works best when the victim is a CEO, CFO, or highly placed officer of a company. Combined with knowledge I gained from your calendar, while you are traveling on business, I can email the company from your account and request a wire transfer for business purposes, such as a materials purchase or business acquisition. The FBI calls this Business Email Compromise (BEC), and losses to companies have ranged from tens of thousand to several million dollars.
- Invoice fraud and payment interception – This works similarly to wire transfer fraud, but the attacker either sends fraudulent invoices to regular customers, or intercepts payments to the company by sending emails to customers with new bank routing and account number payment information. Payments are then sent to a bank account the attacker controls, and since past due notices are not sent for at least 45 days, this leaves the attacker with a long window of time before discovery.
- Access and download your pictures – The FBI just prosecuted a man for using phishing and hijacked email account access to download the pictures of over 50 women from the cloud accounts that were tied to their email account and smartphone. Think iCloud, Google Drive, or OneDrive. Many of these women he knew personally, and almost all lived in his area. Did you send your spouse some racy selfies? Not all of the pictures were adult content, many of them were pictures of family members and children. Creepy.
- Access other documents – While I am in your cloud accounts, I might as well look around for other valuable information. Like that Excel spreadsheet with all my financial account information. Or last years tax returns.
- Hold information for ransom – Or maybe I’ll export your files and pictures, delete them from your cloud account, and leave a ransom demand in their place.
- Use information for extortion – If I learn something about you that could be potentially incriminating, or personally embarrassing, I could use that information for extortion purposes.
- Trading stock on inside information – In February I wrote about an Italian brother and sister team who used compromised email accounts over a period of 7 years to gather insider information they used for making highly successful and lucrative stock trades. They had 87 gigabytes of stolen data, including 18,327 account usernames, 1,793 passwords, and a set of keystrokes stolen via keylogger. More about keyloggers on Friday.
- Exploit extension – Fool me once, shame on you, fool me twice, shame on me. On Friday we will look at how a compromised email account and more phishing emails can be used to extend the exploit outside of the inbox.