We do not condone or support this and only aim to describe how easy it is for criminals to steal user account details.
In 2013 alone we have seen the New York Times, Associated Press’ Twitter and the Ubutu forum hacked. These were all made possible by password theft. When a criminal tweeted as Reuters, the stock market dropped. The consequences are huge.
We describe in 4 steps, how easy it is to perform these devastating attacks with very little technical knowledge. At the end of the article, we give some lessons for consumers and customers to protect themselves.
Step 1. Gather Email Addresses
Download the database of a hacked website – these aren’t hard to find.
Alternatively, guess a targets work email address based on the information from their LinkedIn profile. First.firstname.lastname@example.org.
Your email address is the holy grail of stolen information, it’s the starting point of identity theft, account hijacking – also known as account takeover, in the industry. It is way more useful than you’d imagine.
There are tools used by marketers to find out what social networks you are signed up for. Rapportive is just one. Plug in an email address and it searches all the social networks for you. In under 10 seconds I know which are your Facebook, LinkedIn and Twitter accounts. I can also use it to check I’ve guessed an email correctly.
As a really talented criminal, I could write a program to test thousands of stolen email addresses. Quickly, I’d have my own database of emails and their users social networks. The end goal is to steal your identity – the more I know about you, the more I can assume that identity, learn your security questions for online banking, online shopping and social media websites – even steal more information from information from your friends or employers.
Step 2. Get the Passwords
Aren’t Passwords Encrypted?
If you downloaded a leaked database, it probably holds passwords which are encrypted. So that renders them useless, right? Wrong. Encryption makes passwords into an unreadable format that can’t be decrypted. One type of encryption is an algorithm called md5.
For example – the password “Oranges” when md5 encrypted, turns into “62f2b77089fea4c595e895901b63c10b”.
The kicker is, encrypted versions of the whole dictionary are available for free, online. These are called rainbow tables. Thieves lookup the garbled encrypted string and simply cross reference to get the plain English version.
From a stolen database of thousands of passwords, a good number will be dictionary words. It is also likely that those people reuse their password across their Amazon, Facebook and other social accounts. Using this method I’ll have gained access to hundreds of user accounts. Simple!
What if I don’t have a Rainbow Table?
If I knew where they worked (from LinkedIn) I’d send spear-phishing emails that look like they are from the IT department of their company – even a specific person in that department – also found on LinkedIn or through the jobs board. Companies often list the ‘reporting to’ staff names there. This is a numbers game. Most won’t fall for it, but if you have a few thousand email addresses, someone will bite.
If they don’t bite – why not try to talk to them on Facebook or Twitter to find out more about them and reset their password from their security questions.
Now I’ve created my own spreadsheet of hundreds of email addresses and passwords and associated social media accounts.
The real holy-grail is getting a the email and password combination for a corporate email address. A quick search in my spreadsheet would reveal if I have any .gov or @nyt.com address. For a criminal, getting access to one of these gives them the ability to move stock prices and cause national emergency scares.
Real World Examples:
This year alone, these methods have been used to:
- Leak Ubuntu and Vodafone Germany’s customer data. Both happened when thieves got hold of legitimate, administrator level passwords for more databases, full of customer data.
- Thieves used this method to log into the DNS provider of the New York Times, taking the whole site offline. DNS is the system that turns “http://newyorktimes.com” into the IP address which internet browsers require. The gaining access to their DNS provider, the criminals redirected http://newyorktimes.com to a different IP address – and a different website.
- Attackers used this method if password theft to hijack a marketing tool that allowed thieves to Tweet from the official Associated Press account that “Breaking: Two Explosions in the White House and Barack Obama is injured”, causing the Dow Jones to lose 143 Points.
Lessons for Consumers:
- Consider turning off the “allow users to find me by my email” option on social site. This stops the automated tools and your friends from finding you by email.
- Use two-factor authentication, if it’s available.
- Social media privacy – don’t give away too much to the public
- Use a password manager which takes the pain out of remembering passwords and even generates long, non-dictionary ones. The best ones are free and even have iPhone and Android apps
- Don’t reuse passwords
- Don’t use a dictionary word as your password
Lessons for Companies:
- Consider VPN access to your systems – although this often slows user’s down and requires more passwords
- Replace passwords with two-factor authentication (2FA) or even multi-factor authentication.
- Consider behavioural analysis so even if a users password or 2FA generator is lost or stolen, you can tell that it isn’t the real user inside the account.