Why the Bad Guys Want Your Email
Your email just got broken into? Sorry, it’s not personal. It’s business.
That may not console you much when you realize that your email account was “pwned” through malware or deceit. But, really, the hackers who went after it probably had nothing against you personally. They were instead focused on potentially profitable uses of your email.
This is a point that can easily get lost in the coverage of nightmare hacking scenarios like the 2012 instance in which Wired writer Mat Honan had his Gmail and iCloud accounts hijacked, then saw his iPhone, iPad and MacBook remotely wiped, all so a teenage guy could have fun broadcasting inanities from his three-character Twitter handle @mat.
But, most of the time, crooks going after your email have nothing more ambitious in mind than using it to spam people about fraudulent offers or malicious downloads.
“For the most part, compromised webmail accounts are used to send spam (some of which may contain links to malware),” writes Johannes Ullrich, chief research officer at the SANS Institute.
In a subsequent conversation, he said that not only has the use of hacked email addresses for spam stayed pretty much constant, but in some ways such addresses have become more valuable. How so? Stronger authentication systems deployed by major mail services have made it harder to send a spoofed message — one that looks like it’s from a legitimate address when it isn’t. So, since email impersonation is harder, the bad guys need to take over accounts to send messages that look real.
The value of a hack
What else can a hacker do with a hijacked account? McAfee public-sector chief technical officer Scott Montgomery sketched out one easy possibility: “Let’s say I compromise your Yahoo mail, your Google mail, whatever — what is the likelihood that you have reused that same password at multiple locations?”
That’s right. Stealing one password can open up access to a multitude of a user’s accounts. So take this opportunity to redo yours; for the most security, use a service like LastPass, 1Password or Dashlane to generate and store random passwords for you.
But even if a victim was smart enough to use different passwords for anything of serious value, it won’t matter if an attacker can reset them online — with the only needed confirmation being a click on an email sent to an inbox that the attacker already controls.
Or, as Brian Krebs reported last March, the attacker can skip even that minimal step by asking the bank nicely via email for help completing a wire transfer.
Ullrich said SANS hasn’t seen too many instances of this, thanks mainly to the fact that it’s more profitable to confine that particular scam to cases “where they know that this person deals with large amounts of money.”
In one particularly ambitious attack SANS is investigating, the scammer steps into existing business correspondence to try to fool a customer into sending money to the wrong place. “It appears to happen quite a bit with real estate,” Ullrich observed.
The worst attack
Montgomery suggested one last, still uglier use for a hijacked email: Instead of just spamming friends with some bogus offer, they try to get them to click and install “ransomware” that then locks them out of their own files unless they pay off the scammer.