<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="text-align:left; direction:ltr;">
<div>Hans-Martin Mosner schrieb:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<p>Hi folks,</p>
<p>I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly accept spammers as customers.</p>
<p>So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts registered with the purpose of spamming (I'm looking at you, Google).</p>
<p>Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance:</p>
<ul>
<li>Easily guessable passwords, with two subcauses for exploits:<br>
<ul>
<li>Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers.
</li><li>Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms.
</li></ul>
</li><li>Malware on client machines where passwords are either stored in a password vault, or entered manually.
</li></ul>
</blockquote>
<pre><br></pre>
<pre><br></pre>
<div>I suspect a large amount would be caused by phishing. Users getting a malicious email (generally) leading them to a phishing page where they happily introduce their credentials. Some users fall even for "badly designed" phishing sites without any sophistication
at all.</div>
<div>If after compromise the phishing uses the newly-minted credentials to send itself to their address-book (which on corporate systems can be the whole organization), that explains how there can be such clusters. Fresh students would not know the ins and
outs of their new system (they may not even know how to properly <i>use</i> their email account, but that's a bigger issue) thus being easy prey when receiving a "Your mailbox is getting full" email. Corporate users (Government or otherwise) don't have such
excuse, though.</div>
<div><br>
</div>
<div>Getting infected with malware would be less prevalent than this, one would hope. There are many more layers where it can be detected, both by the users themselves (would generally require more steps and show more warnings) and detection of the malware
at the endpoint. Although users will nevertheless get themselves compromised no matter what.</div>
<div><br>
</div>
<div><br>
</div>
<div>A fourth recent source of compromised mailboxes are compromises of unpatched Exchange servers, albeit that's recent and will eventually disappear.</div>
<div><br>
</div>
<div><br>
</div>
<div>Best regards</div>
<div><br>
</div>
<div><span>
<pre><pre>-- <br></pre>INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/
PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys
====================================================================
INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.
====================================================================
In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.
====================================================================
</pre>
</span></div>
</body>
</html>