[kwlug-disc] OT: Hotmail/Yahoo account breakins

Wed Feb 13 20:43:59 EST 2013

In your experience have these victims been running Windows only?
(And if so, if automatic windows updates are turned on / used regularly. 
And which version of windows. xp more typically having users as 
administrators, than, say, 7 - particularly as xp browsers don't 
typically differentiate between internal / local / unsafe domains, as 
many later ones do, IIRC.)

It seems to me that more people that do e-mail via the web have problems 
that those using actual e-mail clients, but I'm guessing.

My impression has been that once a password is known, they go at things 
via the web / their own computers, not via the victim's computer.

It is in their interest to not change the password, so they can keep 
using the account. Changing the password would be a faster red flag to 
the victim.

I have always suspected web cached passwords. I suppose e-mail client 
cached passwords are equally vulnerable. However, particularly on Linux, 
security updates are important to the developers to get out as quickly 
as possible, lest their software get the bad rap. IIRC, Linux machines 
tend to come out of the box to auto-install security updates.

I don't have a great amount of faith in web mail providers being 
'hackproof', nor that they have built mechanisms whereby repeated entry 
attempts (e.g. dictionary attacks) get increasingly degraded login 
attempts. I expect most hacks come in that way.

Two pieces of advice I regularly see:
1. Choose a hard password - mixed case, digits, symbols.
2. Change it regularly. (Once a month?)

Webmail accounts, being universally accessible are naturally prime 
targets over others - people can get to them, many choose easy 
passwords, and the successful penetration rate is probably higher than 
other penetration attempts. Nature of the beast. I doubt there are many 
other such accessible targets, at least with the same level of 
'payload'. (Cracking a user's web site password to kwlug.org, for 
example, probably doesn't gain all that much in terms of nefarious 
activity impact upon the world.)

E-mail client attachment opening is probably further within the security 
onion than the web browser. Which leads to the other often seen piece of 
advice - don't open attachments! At least not unless they're from 
trusted sources. Thus cracking an e-mail account and sending a bad 
attachment to everyone in that address book ...

On 13-02-13 07:47 PM, Paul Nijjar wrote:
> I think I probably asked this before, but maybe there are updates
> now that it is 2013. For a while now (at least since Sept 2010) there
> has been a spate of attacks on webmail accounts. I want to know the
> mechanism.
>
> In one case I believe somebody got infected after clicking on a link
> they had received from one of their contacts (who had also been
> attacked). I do not think the victim entered password information
> into the target page; I think they may have just opened the page. Is
> this possible? What is the mechanism that allows one into a Hotmail
> or Yahoo account this way?
>
> It looks like clicking on bad attachments can also trigger breakins.
>
> In most cases it looks like the passwords of the infected accounts
> are not changed. The usual advice seems to be "change your password".
> Is this correct advice? What should people do if they have had their
> account cracked?
>
> Does this affect only the web interface, or can you be infected if
> you check your email via an IMAP or POP download of the mail onto a
> fat client like mutt or Thunderbird?
>
> I know that some of you deal with mail systems, and since you are
> all smart I thought I would ask about this here. From time to time I
> look on the internet for explanations about why this happens, but so
> far I have not found satisfying explanations. Even people who are
> smart about computers are getting their accounts cracked.