Thursday, October 29, 2009

Change passwords: Crooks want keys to your e-mail

This was in the paper edition on 10/28/2009


http://www.usatoday.com/money/media/2009-10-27-cybercrime-phishing-account-passwords_N.htm

By Byron Acohido, USA TODAY
Phishers are back with a vengeance, armed with some alarming new trickery.

Those e-mail scammers who try to fool you into typing your user name and passwords at faked financial Web pages have been around in force since 2002. They remain active, though many Web users have gotten adept at spotting, and avoiding, ruses to get their financial account log-ons.

However, after a lull at the start of this year, phishing attacks suddenly spiked 200% from May through September, according to IBM's X-Force research team. Phishers are going after log-ons to Web mail, social networking and online gaming accounts, security experts say.

In the evolving cyberunderground, valid Web mail accounts, in particular, are considered highly valuable "virgin" assets, useful for sending out viral e-mail messages likely to go unblocked by spam filters, Sophos researcher Beth Jones says.

Virgin mail accounts have become hot commodities; a valid log-on to a Windows Live, Gmail, YahooMail or AOL e-mail account can sell for as much as $2 — more than double what a stolen credit card account number fetches, says Fred Rica, principal at PricewaterhouseCoopers' security practice.

Cybercriminals are attuned to the fact that many people use their free Web mail account address to open financial, social network, travel and other online accounts. "Your e-mail account is the key to your online persona," says Henry Stern, Cisco security researcher.

And yet a recent Sophos survey found 33% of the respondents used just one password online, while 48% used just a few different ones. "The sad reality is most people use the same user names and passwords on many different websites," says Sam Masiello, threat researcher at McAfee's MX Logic messaging security section.

Finding a gold mine

With possession of your Web mail user name and password, cybercrooks can carry out a matrix of lucrative online capers, made all the easier if you use just one or a handful of the same passwords. They can send out e-mails that appear to come from you to everyone in your address book to try to get them to divulge passwords. And they can scour your e-mail folders for clues to the social networks and online banks you use, then crack into those accounts — and change the passwords so only they can access them.

Part of this is because many online services require an e-mail address to set up a Web account. Meanwhile, replacement passwords are typically sent to that e-mail address — a perfect setup for a crook who is in control of the e-mail account, says Amichi Shulman, chief technical officer of security firm Imperva.

Phishers can also sell your virgin account to specialists who will use it to send out infectious e-mails to your contacts and all across the Internet — messages that appear to come from you. Such viral messages typically carry corrupted Web links purporting to be for celebrity stories, enticing videos or fake shipping notices.

Clicking on one of these bad links can turn control of the victim's PC over to the attacker, who will then use the PC to steal data, spread promos for fake anti-virus subscriptions or hijack your online financial accounts. "Log-ons from a Web mail site can lead to a gold mine," Masiello says.

The harvesting of virgin Web mail accounts has become a cornerstone of the cyberunderground, so much so that it has evolved into an entry-level cybercrime, says Fred Touchette, senior analyst at messaging security firm AppRiver. Starter kits, complete with slick, ready-made faked log-on pages for each of the top Web mail services and social networks, are readily available — for free. A newbie phisher has only to supply a website on which to host the faked page and collect the stolen passwords.

This has become a widespread activity, one that is keeping the cyberunderground supplied with a new generation of scammers getting in on the ground floor. The crooks supplying the free tool kits have a stake in flushing out as many virgin accounts as possible. "Each account presents new opportunities to make money," Touchette says.

Demand spawns other attacks

The demand for virgin Web mail accounts has, in fact, become so robust that top-tier cybercrime gangs are going after them with other kinds of attacks as well. Some specialize in tainting legitimate Web pages, or corrupting search results, with imperceptible infections. Clicking on the tainted Web page or corrupted search result can open a backdoor on the user's PC, through which the attacker can install a program to steal keystrokes — especially those typed into a Web mail log-on form.

Another popular attack involves hacking into the databases of employment sites, shopping sites or any site that collects sensitive information, including valid e-mail addresses.

ScanSafe researcher Mary Landesman says she regularly finds caches of thousands of stolen Web mail log-ons stashed away in nooks and crannies of the Internet, often organized in a way that makes it clear an infection or database hack was used to harvest the data.

"Most disturbingly, we came across a cache of stolen credentials quite by accident posted in plain view on a now defunct website," she says. "Presumably others could have found it as well."

Security experts advise consumers to use unique passwords for each online account, and to change or rotate passwords on a regular basis. That way if your Web mail password does get stolen, it will become useless to criminals when next you change it.

No comments:

Post a Comment