Why the Bad Guys Want Your Email


Your email just got broken into? Sorry, it’s not personal. It’s business.

That may not console you much when you realize that your email account was “pwned” through malware or deceit. But, really, the hackers who went after it probably had nothing against you personally. They were instead focused on potentially profitable uses of your email.

This is a point that can easily get lost in the coverage of nightmare hacking scenarios like the 2012 instance in which Wired writer Mat Honan had his Gmail and iCloud accounts hijacked, then saw his iPhone, iPad and MacBook remotely wiped, all so a teenage guy could have fun broadcasting inanities from his three-character Twitter handle @mat.

But, most of the time, crooks going after your email have nothing more ambitious in mind than using it to spam people about fraudulent offers or malicious downloads.

“For the most part, compromised webmail accounts are used to send spam (some of which may contain links to malware),” writes Johannes Ullrich, chief research officer at the SANS Institute.

In a subsequent conversation, he said that not only has the use of hacked email addresses for spam stayed pretty much constant, but in some ways such addresses have become more valuable. How so? Stronger authentication systems deployed by major mail services have made it harder to send a spoofed message — one that looks like it’s from a legitimate address when it isn’t. So, since email impersonation is harder, the bad guys need to take over accounts to send messages that look real.

The value of a hack
What else can a hacker do with a hijacked account? McAfee public-sector chief technical officer Scott Montgomery sketched out one easy possibility: “Let’s say I compromise your Yahoo mail, your Google mail, whatever — what is the likelihood that you have reused that same password at multiple locations?”

That’s right. Stealing one password can open up access to a multitude of a user’s accounts. So take this opportunity to redo yours; for the most security, use a service like LastPass, 1Password or Dashlane to generate and store random passwords for you.

But even if a victim was smart enough to use different passwords for anything of serious value, it won’t matter if an attacker can reset them online — with the only needed confirmation being a click on an email sent to an inbox that the attacker already controls.

Or, as Brian Krebs reported last March, the attacker can skip even that minimal step by asking the bank nicely via email for help completing a wire transfer.

Ullrich said SANS hasn’t seen too many instances of this, thanks mainly to the fact that it’s more profitable to confine that particular scam to cases “where they know that this person deals with large amounts of money.”

In one particularly ambitious attack SANS is investigating, the scammer steps into existing business correspondence to try to fool a customer into sending money to the wrong place. “It appears to happen quite a bit with real estate,” Ullrich observed.

The worst attack
Montgomery suggested one last, still uglier use for a hijacked email: Instead of just spamming friends with some bogus offer, they try to get them to click and install “ransomware” that then locks them out of their own files unless they pay off the scammer.

A site password plus an email address that itself is secured with only a password shouldn’t open the door to moving money around. But while most Web-mail services now offer two-step verification — yes, you should turn it on — only a handful of name-brand banks and other financial institutions also do.

I don’t think you can legislate a requirement for two-step verification, but having to reimburse enough customers for losses ought to have an educational effect on banks that haven’t let customers lock their accounts with more than a username and password.

Online security laws need to change
That doesn’t mean the folks in Washington have nothing at all to do on this front. Beyond the absence of a national law requiring companies to notify you if they lose your data, the primary law aimed at networked crime — the Computer Fraud and Abuse Act — needs a rewrite of its own.

That’s not because it’s too tolerant of hacking attempts; it’s because it now defines them so broadly that it can be used to target legitimate security research. In an upcoming column, I’ll explain why the CFAA has become many techies’ least favorite law.

Yahoo Tech is a brand new tech site from David Pogue and an all-star team of writers. Follow us on Facebook for all the latest.