In the wake of the news reports this week of the large-scale webmail phishing attacks, much of the coverage has surrounded the compromise of email accounts which, according to the numbers, affected a massive amount of webmail users.
However, what has been glossed over is the potential impact on the other aspects of the victims’ online lives. The bad guys likely now have more than just access to users’ email accounts, they have access to a host of other online services the victim uses.
“A user’s unique email address is often used to authenticate a number of web sites, including social networking sites and Instant Messaging on a public IM network,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID.”
Once the bad guys have email account information and the will to take over a related social networking accounts, all they need to do is try the password reminder links from the login pages. They can then not only use your email to spam, they can also gain access to other personal information stored online.
Over the last year, MessageLabs Intelligence has tracked a number of phishing attacks using Instant Messaging whereby the bad guys collected real IM user account information and passwords and used them to send commercial messages to everyone on the user’s buddy list. An invitation to view a funny video or embarrassing pictures by clicking on a link in an IM was the bait and the landing site would then ask the victim to log in with their IM user name and password. For public IM networks, the user name is often the same as the web-based email account.
Phishing isn’t the only way the bad guys can gain access to webmail accounts. MessageLabs Intelligence has been aware of an increase in the number of “brute-force” password breaking attempts, where dictionary attacks are used against online webmail accounts to break in, perhaps using POP3 or webmail to conduct the attacks. Users with simple or weak passwords are the most vulnerable. On the website, an attacker will be asked to solve a CAPTCHA puzzle to prove they are a real person. CAPTCHAs can be easily bypassed using a variety of CAPTCHA-breaking tools.