Email Account Hijacking – Part 3 Extending the Exploit

On Monday and Wednesday we looked at email account hijacking, how it happens, and what can happen after the account is controlled by an attacker.  Today we will see how an attacker could use the beachhead they established in your email account to extend their intrusion.

They have already proven that you are susceptible to phishing and other social engineering exploits.  So sending the victim other phishing emails that allow more access would be a strong next step.  To extend access, the attacker needs to take control of the victim’s computer, so these phishing emails will have a malicious attachment for the victim to open.  Once opened, the malware is installed.  Or the email may contain a link to a web page where the malware will be downloaded from.  Sometimes the malware is embedded in a document, picture, video, or game that the vicitm is tricked into viewing or installing.

These exploits could include:

  • Installing a keylogger – A keylogger is software that simply records everything you type and sends a daily report to the attacker.  The report can be searched using other software to look for 9-digit numerical strings (Social Security number), 16 digit numerical strings (credit card) and the related 3 or 4 digit CVV and expiration date, or web address, email address and password combinations (www.myaccount.com, myname@myemail.com, and whatever follows is the password) that would indicate network and online account credentials.  Plus all the other juicy tidbits that could be gleaned from your daily typing.
  • Installing a remote access Trojan horse –  Also known as a RAT, a remote access Trojan works just like LogMeIn or GoToMyPC, except it keeps the presence of the remote connection secret from the victim.
  • Attack other computers on the network – Once in your computer I can get access to other computers on your network.  If this is a system on a business network, the attacker has immediate access to all your shared files and server based applications.  This data can be exfiltrated off the network and sold on the Dark Web.  Again the goal of the attacker is to remain undetected and to extend their control to other systems and servers on the network.
  • Installing a banking Trojan horse – This is one of the other terrible exploits that may befall you. Typically, this malware arrives in an email attachment. Banking Trojans are sophisticated software suites that include a database of banking web addresses, a keylogger, and remote access Trojan, and a communications channel.  When you type your banking web address, the software matches it to their database, and if there is a match, the keylogger starts to record your keystrokes.  An alert is communicated to the cyber criminal, who remotely accesses your computer while you are in your banking session.  Any special security features are bypassed by the attacker, because the victim entered those themselves.  Once the victim has completed their banking session, the victim keeps the session open and then makes a few withdrawals of their own.  Or using the information from the keylogger, and the RAT, connects to your bank at a later date, from your own computer.
  • Installing crypto-ransomware – This is another of the top three worst exploits that may happen. This malware also arrives in an email attachment.  Once the attachment is opened, the malware connects with a command and control server, and downloads the encryption software.  The malware then encrypts all of your personal files, pictures, music, and other data, on your computer’s hard drive, and any connected external or network drives.  Some crypto-ransomware has worm-like capabilities to spread to other systems on the network.  Then a ransom demand is posted on your desktop.  Paying the ransom does not always guarantee that you will get your data back.  This is particularly crushing for someone who does not have a recent working backup of their data to restore from.
  • Hijack your web site – If you are a web designer, or are managing your own or other business or personal websites, I should be able to find your login credentials in my keylogger reports.  Your website can be hijacked and used to support the landing pages of a phishing campaign, or to download malware to the computers of website visitors.  Our the attacker can replace your content with their own, and hold your website for ransom.  Or they can export the visitor registry or website user name and password database, and sell them on the Dark Web.

I hate to leave you with a week’s worth of bad news without providing some sort of solution to this problem.  On Monday, we will explore ways to prevent, or at the worst, detect and stop an email account hijack.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.