A recent report from Commtouch finds about one third of Gmail, Yahoo, Hotmail and Facebook users even noticed when they were hacked, and more than half found out later after friends alerted them. This lag time provides a wide open window for scammers to use social engineering techniques to target more valuable targets, and harvest droves of personal information, long after a user might need to take steps to protect themselves.
Recently, there has been a flurry of Trojans hitting the streets as email attachments (with official-sounding attachment names) purporting to be from the I.R.S. or a payment service. When opened, the nastiness begins. Think about how much more likely people in your contact list on a service like Gmail would be to take a look if that came from your account, thereby leveraging a trust relationship to catch them with their guard down. Obviously, scammers don’t have to have a high success rate to effectively spread their malware.
We see increasing use of social engineering in online scams these days, which really is just a way to elevate trust of the scammer. In years past, hackers used this as a cornerstone of their activities, gaming people out of dial-up numbers, phonecards, etc. Later that gave way to more mass spam campaigns and other nonsense. As organizations have gotten better at implementing filter and reputation systems, scammers seem to be moving back the other direction toward old familiar ground.
The attacks are becoming much more sophisticated, and sequential, so breaking into your email account may very well be just the tip of the spear, so to speak. After they gain this, they datamine and repeat the process, targeting very specific areas as they go. Many users have the same username/password pair across multiple services, so the scammers build a database as they go, slowly gaining more and more access to your life. Over time, their database becomes more and more valuable for sale to other scammers, and the process repeats.
The report, “The State of Hacked Accounts”, said one in eight hijacked accounts were used for phony distress email scam, asking the friend to wire funds to a foreign country, never to be seen again. More than half were used to send spam.
Among the 34% who knew their account was hacked, 15% cited a Facebook link scam, 15% cited a WiFi connection, and 15% clicked on email-based malware. There’s other great information in the report, it’s a good read.
How do you protect yourself? First, find some way to manage your passwords across the different services you use. It may be easy to think up a random password that’s secure, but that makes it hard to remember, especially if you change it often. Also, watch your email account for strange behavior that doesn’t look like it originated from you, for example, bounced messages it doesn’t look like you sent. Keeping on top of your accounts might spare you the expense of having your data trotted out for the world to see and exploit, which is never a good end to the story.
Author Cameron Camp, ESET