Webmail Phishing Attacks – The True Cost

MessageLabs points out in this timely report, the true cost of webmail phishing attacks, and the impact such attacks can have on the victims of this cyber-criminal activity.

Courtesy of MessageLabs:

image In the wake of the news reports this week of the large-scale webmail phishing attacks, much of the coverage has surrounded the compromise of email accounts which, according to the numbers, affected a massive amount of webmail users.

However, what has been glossed over is the potential impact on the other aspects of the victims’ online lives. The bad guys likely now have more than just access to users’ email accounts, they have access to a host of other online services the victim uses.

“A user’s unique email address is often used to authenticate a number of web sites, including social networking sites and Instant Messaging on a public Instant Messaging (IM) network,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID.”

Once the bad guys have email account information and the will to take over a related social networking accounts, all they need to do is try the password reminder links from the login pages. They can then not only use your email to spam, they can also gain access to other personal information stored online.

Over the last year, MessageLabs Intelligence has tracked a number of phishing attacks using Instant Messaging whereby the bad guys collected real IM user account information and passwords and used them to send commercial messages to everyone on the user’s buddy list.

An invitation to view a funny video or embarrassing pictures by clicking on a link in an IM was the bait and the landing site would then ask the victim to log in with their IM user name and password. For public IM networks, the user name is often the same as the web-based email account.

Phishing isn’t the only way the bad guys can gain access to webmail accounts. MessageLabs Intelligence has been aware of an increase in the number of “brute-force” password breaking attempts, where dictionary attacks are used against online webmail accounts to break in, perhaps using POP3 or webmail to conduct the attacks.

Users with simple or weak passwords are the most vulnerable. On the website, an attacker will be asked to solve a CAPTCHA puzzle to prove they are a real person. CAPTCHAs can be easily bypassed using a variety of CAPTCHA-breaking tools.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.


Filed under Don't Get Scammed, Don't Get Hacked, Email, email scams, Interconnectivity, internet scams, Malware Advisories, Malware Reports, MessageLabs, Online Safety, Windows Tips and Tools

4 responses to “Webmail Phishing Attacks – The True Cost

  1. Hey Bill, This MessageLabs report is very informative. Many people use their email addresses as user names for other online services so when one account is hacked into, it can affect them in a number of ways. Are there any tips you find to be essential when it comes to users protecting themselves against these attacks?

    • Bill Mullins

      Hey TuneUP,

      Regular readers of this site are very familiar with the following recommended security strategy to protect their computer system, their money and their identity. I’m sure regular readers could recite the following verbatim. LOL!

      Out of the 1,000 articles on my site at least 300+ include the following advice and more, depending on the specific article..

      *Do not engage in any of the following unsafe surfing practices:*

      *Downloading files and software through file-sharing applications such as BitTorrent, eDonkey, KaZaA and other such programs.*

      * *

      *Clicking links in instant messaging (IM) that have no context or are composed of only general text.*

      * *

      *Downloading executable software from web sites without ensuring that the site is reputable.*

      * *

      *Using an unsecured USB stick on public computers, or other computers that are used by more than one person.*

      * *

      *Opening email attachments from unknown people.*

      * *

      *Opening email attachments without first scanning them for viruses.*

      * *

      *Opening email attachments that end in a file extension of .exe, .vbs, or .lnk.*

      * *


      *Dont open unknown email attachments*

      * *

      *Dont run programs of unknown origin*

      * *

      *Disable hidden filename extensions*

      * *

      *Keep all applications (including your operating system) patched*

      * *

      *Turn off your computer or disconnect from the network when not in use*

      * *

      *Disable Java, JavaScript, and ActiveX if possible*

      * *

      *Disable scripting features in email programs*

      * *

      *Make regular backups of critical data*

      * *

      *Make a boot disk in case your computer is damaged or compromised*

      * *

      *Turn off file and printer sharing on the computer*

      * *

      *Install a personal firewall on the computer*

      * *

      *Install anti-virus and anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet*

      * *

      *Ensure the anti-virus software scans all e-mail attachments*

      * *

      *Be proactive when it comes to your computers security; make sure you have adequate software based protection to reduce the chances that your machine will become infected. Most of all, understand that you are your own best protection.*

      I must add however, the reader is constantly reminded that an educated reader is his/hers own best protection*. *

      Btw, I noticed you have added my site to your Blogroll – thanks for that. I’ve just returned the favor.

      At the moment, I’m in the process of writing an article in which I am advising readers to write down their passwords – in this way they can create passwords that are more secure. The old advise about not writing down a password is nonsense – it leads directly to simple password that are easy to break. Time for a change in thinking.

      Bill **

  2. Hi Bill,

    He he he, well ok I guess my comment was not as well thought out as it could have been … Friday after a long week 🙂

    I do agree that the poorly advised practice of not writing down passwords is crazy and has been a little distorted from the original intent. Writing down passwords then saving them in an email, on a mobile (in the ‘Password Protector’ file no less!), etc., is the real issue. Paper is good – hackers do have limits after all 🙂

    Thanks for the link by the way – maybe we can work out a point-counter-point post some time … just a thought. Coffee’s done, gotta go!

    • Bill Mullins

      Hey Eric,

      Love the point-counter-point post idea! Let’s talk about that further.

      Hope the coffee was worth the wait. LOL!

      Talk to ya later,