Email Hacking- How Is It Done?

[+ Lucky]

The news today reveals that a certain governor of a western state had her email account hacked and her personal emails revealed. (This is NOT a politics thread, thank you.) So, how is this done?

 

I wonder because one of my accounts was hacked and I have never told anyone the password nor have I written it down. I found out when I started to receive MAILER-DAEMON type responses telling me that my email had been sent to a closed or nonexistent account. Of course, I had never sent the email in the first place. So, I ask, how is this done? I stopped it by changing my password, and not staying signed in to the account.

[Lookin]

I'm not an expert on this, but I'll share what I know, as the same thing happened to me last year.

 

Although possible, it's likely your email account wasn't hacked at all. All someone (like a spammer) needs in order to send out thousands of emails from "you" is your email address. They don't need access to your email account, and they don't need your password. All they need is your email address.

 

The SMTP (Simple Mail Transport Protocol) servers that handle most email over the internet are not very sophisticated, and they assume that the address that's sending an email is legitimate. They don't use any authentication process or password. If someone sending an email says he's "Lucky@myisp.c0m", that's good enough. Out it goes with your email address.

 

So how does a spammer get your email address? Even if you're careful never to give out your email address to any unknown website, and only to friends you trust, your email address can still fall into the hands of a spammer. Did a friend ever send you an email that's been forwarded a bunch of times, with a hundred email addresses listed for everyone to see? If anyone along the line had his email account compromised, there's your email address along with all the others. I think that's how my email address got "harvested" by a spammer.

 

After a few weeks, the spammer must have moved on to somebody else's email address, since I stopped getting "undeliverable" messages from people I never heard of. If it had become a chronic problem, the fix would have been to get a new email address.

 

You might want to ask your friends never to forward an email from you, without removing your email address. It should be common courtesy these days, but many people don't have a clue what could and does happen.

[+ Lucky]

I have asked friends not to include me in mass mailings, yet people love to do it. I've learned a lot from it...like who is in their email contacts list. Sometimes it's pretty interesting, but never worth the trouble.

 

Note to friends: Please do not send me mass emails. If it isn't worth sending to me alone, I don't want it! (Naked Asian and Latin guys excepted.)

[+ deej]

There is a difference between hacking and spoofing.

 

Your mailer-daemon mail was probably the latter. Someone sent SPAM with your address in the "From" field. (This is so easy to do you can do it in a Word macro in a few lines of code.) You received the bounce messages. They don't gain control of your account, they just annoy the hell out of you because of the bounces they cause.

 

Hacking is breaking into the account, and can be pretty easy with a Yahoo mail account because you use the same name to login as your address. Given an address, just set a dictionary program to try every word and combination of words until it stumbles on the password. You're in, and have full control of the account and can see anything in it.

 

The dictionary approach may take a while, but it's the kind of repetitive task computers are good at. And that's assuming none of the obvious passwords (kids names, pets names, etc.) were used. What do you suppose are the odds of the in-DUH-vidual having used a strong password?

[Justice]

There's a now former news anchor in Philadelphia, who just plead guilty to charges that he hacked into another (also former) news anchor's e-mail accounts. He allegedly "installed a small keystroke-logger device - typically attached to the cord between the keyboard and computer" to obtain her user names and passwords. ( http://www.philly.com/philly/news/homepage/20080722_U_S___Mendte_a_tireless_spy.html.)

 

(All the sordid details can be found in these news articles: http://www.philly.com/philly/hot_topics/12558721.html.)

 

Scary thought. If I was his victim, I don't think that I would ever be comfortable using e-mail again.

 

Justice

[+ Lucky]

deej, my passwords are now a lot more difficult than they used to be...but computer programs can probably figure them out anyway...but the bother would hardly be worth it.

[+ ArVaGuy]

About 7 years ago my company's entire email system got hacked. It was a mess to unravel. Whole new protocols had to be created and changes to the security levels. Our spam filters have been upgraded to the best available but that only works just to a limited degree. I still from time to time get spoofed messages.

 

Try googling your e-mail address. I did that with my office address and found that my e-mail was listed on an attendee roster for a meeting I attended in 2004 posted on a conference web site. That was a bit of a surprise and also led me to change some of our procedures for managing attendee rosters for my own organization.

 

One way I manage my personal email is to have several different accounts. I have my main personal and business account through my ISP. That address is only given to very close friends and business contacts. I also have two Yahoo accounts for internet and other stuff. When I order anything online I use one of these e-mail addresses. One of them gets bombarded with spam while the other only gets a few.

[+ Charlie]

I, too, have always had one email account which I use for friends and personal business, and another yahoo address which I give to organizations, businesses, etc. When I returned from a recent two weeks trip, there were over 200 spams in the latter mailbox, only one in the personal acct.

[+ Lucky]

I'll bet yahoo was the one with the most spam as their filters seem to be off duty half the time. Gmail never sends spam to my inbox, and hotmail rarely does.

[+ deej]

Well, yeah, real effort is usually reserved for high value targets. :-)

 

But I read this morning they didn't even need the dictionary-style attack. They just used Yahoo's password reset feature to hijack the account. Between Wikipedia and Google, it took almost no time at all to guess the answers to the "security questions".

[Steven_Draker]

This article might be helpful

http://en.wikipedia.org/wiki/Email_Privacy

 

Read especially the part about 'routers'

 

Steven Draker ~

[a href=http://www.hotsexystud.com/uk]website[/a] [a href=http://www.daddysreviews.com/review.php?who=steven_draker_brussels]reviews[/a]

[a href=http://www.aidslifecycle.org/1554]Aids Life Cycle 2009[/a] (soon)

[Guest ryan2552]

Not email related but security related.

 

People are stupid when it comes to security. Seriously stupid. There is a well known adult site that I visit a few times per week. I was curious about the ownership and did a whois look up. Using that information I went to their business site.

 

Once at the business site I noticed they were seeking clients. They had several tabs like portfolio, prices, about us, and forums.

 

I clicked around and ended up in the forums. Once there I observed that the only people posting were those involved with the site(s) they own. Being the curious type I clicked around and found a post where one of the site managers posted his login information to the control panel, of his site, so a tech support person could check something out.

 

Naturally being the curious type I tried the link and info and I was in. AND that led me to other passwords to ALL of their sites, ALL of their billing info, ALL of their income statements, ALL of their user passwords - it took about a week or two and I had everything I needed to hijack, steal or do whatever I wanted with their sites.

 

I DID NOTHING. But it was a strange feeling having all that information available for me to eventually find because of one person's stupidity. In fact, my guess is that most of the info I found is probably still good to this day.

 

Basically I think that my experience wasn't such a far out exception. That many "hackers" simply take advantage of how people handle secure information.