special report: the state of hacked accounts
DESCRIPTION
A new trend has emerged in the sending of malware. Spammers have significantly increased the use of compromised accounts (accounts who’s credentials are stolen or hacked) to send spam and malicious emails. Having observed greater use of compromised accounts, Commtouch undertook primary research into the use of these accounts for sending spam. The research included the surveying of people whose accounts had been compromised. This presentation is a condensed overview of the research report. It also includes tips for end users on how to prevent their accounts from being hacked or compromised.TRANSCRIPT
October 2011
SPECIAL REPORT: The State of Hacked Accounts
The following is an condensed overview of end-user research compiled by Commtouch to explore issues related to the theft, usage and recovery of compromised accounts. This document also includes tips for end users on how to prevent their accounts from being hacked or compromised is also included.
The complete report can be downloaded at http://www.commtouch.com/hacked-accounts-
report-Oct2011
About this Report:
Spammer are using compromised accounts (accounts who’s credentials are stolen or hacked) to send spam and malicious emails.
Background
Background Increased use of Compromised Gmail & Hotmail
Accounts in Q2 & Q3 2011 • Hotmail: 28-35% of the spam from Hotmail actually comes
from compromised or spammer Hotmail accounts • Gmail: Mostly (96-97%) from zombies that simply forge
Gmail addresses • Q3 2011 saw growth in use of Hotmail & Gmail
compromised accounts over Q2
Source: Commtouch
Introduction
Why the move by spammers to Compromised Accounts
1. Antispam solutions are becoming better at blocking
botnets (IP reputation can typically block 85-95% of spam based on IP).
2. Blocking of spam from compromised accounts is more difficult as accounts often exist within whitelisted IP address ranges (such as Hotmail or Gmail).
3. Although spammers can set up their own legitimate accounts for sending spam, email providers obstruct this phenomenon to the best of their ability.
4. Recipients are often more trusting of emails coming from a known source.
Introduction cont…
There are some issues for spammers using compromised accounts • Compromised accounts can only be used for relatively small
spam runs of a few hundred or thousand messages without being detected by the provider
• The accounts need to be compromised/hacked/stolen before they can be used.
The result • The new spammer tactic of using compromised accounts
generates smaller volumes of spam, but with better delivery rates.
Goal of the Research
The research set out to understand the following… • What accounts are targeted? • How are accounts compromised? • Are compromised accounts used for other
purposes besides spam and scams? • How do users figure out that their account has
been compromised? • How do users regain control of their accounts?
THE RESEARCH RESULTS
1. Which accounts were targeted
Participants were asked which of their account(s) were compromised Key Findings:
• Gmail, Yahoo, Hotmail & Facebook attracted 15-27% of cybercriminals attention
Analysis:
• The value of a compromised account is in the “clean” IP address, rather than the specific domain of the address.
• From this point of view, all accounts have a similar value since they are from well-known domains.
1. Which accounts were targeted
“Other” include users of AOL, Comcast and other providers
Survey Responses: • Gmail • Yahoo • Hotmail • Facebook • Other
2. How was the account compromised
Participants were asked how their accounts were compromised Key Findings:
• Majority (62%) responded they were not sure • 15% recalled using a public Internet terminal or public WiFi prior
to the hack. • None of the respondents believed they had been phished or had
been victims of a drive-by download (by following a phony link). Analysis:
• Many people typically engage in risky online behavior without realizing
• It’s not always easy to figure out how an account gets compromised and retracing steps does not always help.
• Likely many of victims simply used easy-to-guess passwords
2. How was the account compromised
Survey Responses: • I used a public computer or WiFi
network (e.g.: Internet café) • I opened a file that might have
contained a virus (e.g.: an email attachment that seemed legitimate)
• I clicked on a link in an email that was phony (e.g.: an email from UPS or DHL with information about a package for you)
• I responded to a request to provide my username and password (someone “phished” your details)
• I clicked on a link I received from a friend in Facebook
• Not sure • Other
3. What was done with the stolen accounts
Participants were asked what they believed was done with their accounts Key Findings:
• 54% said account was used to send out spam • 12% said it was used in a “friend stuck overseas” scam (that
blatantly exploits the trust element) • 23% did not know
Analysis:
• The value of a stolen account is twofold – it provides a clean IP address, and in addition there is an element of trust that comes with a message since it is (in most cases) received from a friend or acquaintance
• Of the 23% of respondents that did not know how their compromised account had been abused, it may be assumed that these were used for a mix of spam and scams
3. What was done with the stolen accounts
Survey Responses: • Used to send spam
promoting a product • Used to ask my friends
to send me money since I was “stuck in a foreign country”
• Used to send a phony message/wall post on my Facebook account
• Not sure – I was just told it was compromised
• Other
4. How were the account owners made aware of the compromise
Participants were asked how they became aware their account had been compromised Key Findings:
• In 54% of the cases the compromised account owners learned of the breach from their friends;
• 15% received an official email • 31% responded “I noticed it myself”
Analysis: • No one is as good at pointing out people’s errors as their own
friends (who also receive the spam and overseas scams) • Users probably assume that Gmail, Yahoo, Hotmail and
Facebook are keeping an eye out for hacks and other bad stuff • Some users might think that they will notice strange activity in
their account as soon as it happens
4. How were the account owners made aware of the compromise
Survey Responses: • Friends told me after
receiving a strange email or message
• Received an official email from Gmail, Yahoo, Facebook suggesting I change my password
• I noticed strange activity • Other
5. What action did account owners take to recover their accounts
Participants were asked what action they took to recover their accounts Key Findings:
• 42% solved the issue with just a password change • 23% changed their password and ran an antivirus scan • 23% did not do anything to remediate their account, and
believed this was a one off event Analysis:
• The modern equivalent of “changing the locks” (i.e., changing password) seems to be key to regaining control of an email account
5. What action did account owners take to recover their accounts
Some of those who responded “other” had broached the issue with their email provider.
Survey Responses: • Changed my password • Ran a virus check • Both of the above • Nothing – it happened once
and seems to be OK now • Other
Safety Tips to Protect Against Being Compromised
1. Use passwords that are difficult to guess – no keyboard sequences (qwerty, 1234qwer, etc.), no birthdates, no common names. Mix numbers and capital letters.
2. Use different passwords for different sites. 3. Consider using a password manager that stores all you passwords,
generates new ones, and syncs them between your different PCs, laptops, and tablets. Keep your master password complex and safe.
4. Think carefully before using a public Internet terminal. If you do need to use one, remember to uncheck the “remember me” box when you log into your email or Facebook. Also – don’t forget to log out and close the browser window when you are finished.
5. Don’t open email attachments or click on links in emails you weren’t expecting. Treat all unexpected attachments as malware even if they appear to be “only” PDF, Word or Excel.
Safety Tips to Protect Against Being Compromised cont…
6. Don’t follow links in Facebook that accompany some hysterical or generic text such as “check this out!!!!!” or “Thought you might like this!!”. Avoid Facebook links that promise some current event “scoop” such as “Osama bin Laden death video!”.
7. To date, there is no Facebook application that allows you to see who has been viewing your page – never follow any link that promises this functionality.
8. Never respond to a request for your password – even if email looks official or urgent.
9. If your email provider offers single-use passwords (for example as Gmail does), implement it. In the case of Gmail, you can either download an application to your mobile phone that generates a single-use password (a string of random numbers that changes ever few seconds), or Google will SMS your phone with the password. In this way, if someone is determined to hack into your account, they will need to have access to your mobile phone as well.
Download the complete
SPECIAL REPORT: The State of Hacked Accounts
at
http://www.commtouch.com/hacked-accounts-report-Oct2011
For more information contact: [email protected]
650 864 2000 (Americas) +972 9 863 6895 (International)
Web: www.commtouch.com
Blog: http://blog.commtouch.com
Copyright© 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch, Authentium, Command Antivirus and Command Anti-malware are registered trademarks, of Commtouch. U.S. Patent No. 6,330,590 is owned by Commtouch.