Or, of course, by not reusing passwords everywhere. ISPs can help by turning on some sort of brute force protection on SMTP and IMAP. They can also help by checking for completely obvious passwords (yes, by brute force cracking with a short list). Which brings us to this:
>But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”
If only there was some way to communicate with a email customer...
At one of my jobs, we ran into this soon after launch. Attackers would loop through giant lists of leaked username / passwords using a different ips for every attempt. Blocking passwords at signup that existed in haveibeenpwned's database worked fairly well (and then later adding a required second factor).
Mny password attempts for 1 username, isn't it easier to slow down attempts to authenticate the username after x tries, regardless of the IP? Just the fact that multiple IPs are being used for 1 username in a loop is enough of a red flag.
> Blocking passwords at signup that existed in haveibeenpwned's database worked fairly well
That's half a billion passwords to disallow?
Credential stuffing isn’t password bruteforcing. You don’t try half a billion passwords for one username. Instead, you try countless previously leaked username/password combinations from many ostensibly benign residential IPs. Each user account may only see one attempt. The goal isn’t to break into a specific account, but rather, to compromise as many as possible.
Nope, one attempt per username - they were using a giant list of hundreds of thousands of leaked credentials.
> That's half a billion passwords to disallow?
> If only there was some way to communicate with a email customer...
I'm not really sure what the issue here is. When the ISP knows their customer's accounts are compromised it doesn't matter what type of client they use to check their messages they absolutely can "flag the account for a password reset" by simply resetting the password or temporarily disabling those accounts.
This forces the customer to call into the ISP the next time they try to check their email, verify their identity to the ISP, and then set a new password.
The customer might be angry about having to take the time, but in most cases telling them "Your account was hacked and they were accessing your email messages" is enough to change their attitude from annoyed to grateful.
You don't even have to wait for them to be compromised. I worked for an ISP that updated their system to require more complex passwords. They put out notices to get as many people as possible to reset their passwords then disabled every remaining email account in batches until everyone had called in to reset their password under the new requirements.
I guess you’ve never done tech support over the phone.
It helps that these days most people have the cell network for a backup and they can still get their social media fix
In fact I have Security Keys, so, now you're trying to break AES, which you can't do.
But let's suppose you're attacking the average person whose second factor is a TOTP authenticator. Unsurprisingly Microsoft only give you a finite rate of tries at TOTP codes. And of course the correct code keeps changing meanwhile, so you can guess forever and never have better than about 1 in a 100 000 chance to guess a valid code each time. How many guesses do you think you get before your client is considered vexatious and can't try any more?
And how do you know the attacker is one client? He can just be 1000000 clients each only trying once. And if you block them you also block the user.
Having two factors is better. But obviously neither of them should be a conventional password because passwords are crap.
You can have WebAuthn set to do usernameless authentication, with the two factors both being local. So when you visit a site with this behaviour and it wants authentication, you maybe touch your fingerprint sensor on your phone, that's one factor, having the phone is the other factor, that's two factors, the phone hands over credentials including a large identifier that's equivalent to a user ID for the site, plus its assurance that you are present (based on the fingerprint) and a signature proving it is still the same phone used to sign up for this method. No typing your email address, no passwords, much better security.
> He can just be 1000000 clients each only trying once. And if you block them you also block the user.
Yes, if you rate limit attackers you also rate limit the real user.
But as an attacker, what value am I getting from that? Maybe it's a chargeable service I can sell? It certainly doesn't help me steal gift cards.
$1000 per hour to annoy a friend by preventing them from logging into their email? Not many buyers at that price.
$100 per hour? $10 per hour? $1 per hour? Remember that to fuel this you are throwing away a botnet so that you can hammer on the login until you get blocked, and botnets aren't that cheap to buy.
Yes you can have proper security. But this is about the Microsoft solution where you don’t, where you can first guess the password and then guess the 2fa code. Which is not very smart, considering it’s not that much harder to check both at the same time and fail when either is wrong.
You can't do that. Try to imagine what this looks like:
You're at the Microsoft login screen. Microsoft needs you to present both a password and...
* WebAuthn sign-in credentials, for which it must send data to your client
* a TOTP code, from the authenticator you may or may not have
* the SMS code, which you er... wait, what SMS code, how can Microsoft send it to you if you didn't say who you are?
* the email code, which again er... Microsoft can't send this until it knows who you are
* any other technology Microsoft adds later which may require any of the above or something else.
So the effect here is this gives bad guys a free targeting feature. Just type in any email addresses and Microsoft will tell you which 2FA is enabled if any.
> And of course indeed it doesn’t work with methods like sms and emailing codes
So, it doesn't help at all for the good case, and it breaks the bad case worse, what was the goal again?
Either that, or you force the user to do a password reset if ever they provide the password but cannot provide the 2nd factor in the same login attempt. I think that would upset a lot of users though.
I mean if there's repeated login attempts where the password is correct but the 2FA is not that's a pretty good indication that the password may be compromised. I'd like to be notified of that.
Up until recently SMS 2FA could be broken for $10 because one VOIP provider allowed number registration on any number.
If you can filter 10,000 accounts down to 100 with known passwords, now you just have to bypass 2FA on 100 accounts.
It used to be this didn't have any real backend checks, so you could effectively steal someone's number, at least temporarily.
EDIT: yea it's not 'registering' the number but rather rerouting a copy of all messages to another number.
Possible without if they're only checking during password reset or account creation.
What's interesting is that they logged into my webmail to create rules to forward all mail from Delta to trash so that I wouldn't see any of the notifications.
If email isn't your only method of contacting your customer... then sending an email to an address controlled by a hacker isn't your only option.
That's obviously false. The context of this very discussion is that more than one person is able to log into an account for many email accounts.
In terms of notifying them, I think an email would be appropriate, although straight up saying that the customer's account has been compromised might not be the best idea because the hacker could update their software to look for that. It might be better to send an email about some billing issue, and when the customer calls then explain to them that their account has been comprimised.
I often wonder why Gmail 'Suspicious login' emails aren't like this.
The user could also get the email on their device if the hacker doesn't delete it quickly, which is a possibility given the low and slow nature of this scheme.
If we read between the lines, it appears that someone sitting at a fairly large Internet choke point is grepping the flow of mail traffic for keywords (for lack of better terms since it's not literally grep).
Presumably someone placed highly enough that they can do such analysis without management oversight ?
Or are there compliance and security reasons to "grep" IMAP traffic for certain things and he just added some other keywords ?
Where, in 2021, would a network admin own this much traffic and have this little oversight ?
EDIT: ... and now that I think about it, wouldn't this be fairly easy to suss out ? The source states:
"So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,"
I have neither the time nor the inclination but if there is an ISP out there that is routing 25% of MS mail infrastructure, all I have to do is look at mail routes to MS for a few days and run some traceroutes and I could probably make some guesses as to which network "Bill" works for ...
To me, it sounds more like Bill broke into (some of) the "proxy network" (likely bots on home computers?) used by the attackers, and is spying on them.
Essentially, it's an automated service to find all of the places where programs give you free stuff for little or no work, and then their system just watches your email and does it for you, splitting the final values in some fashion.
Despite the extreme security issues around it, I could many people signing up for this.
edit: Although I see it's discontinued now..news to me
Marv: Harry, it's our calling card!
Harry: Calling card.
Marv: All the great ones leave their mark. We're the wet bandits!
What they're doing is terrible, but I felt a bit of respect for how clever this is.
Gmail is pretty secure, I seriously doubt you can log in to someone's account using just their password if you don't have their usual IP, Geo location, User Agent etc.
EDIT looks like maybe I'm wrong: “It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”
1. RFC 7628 OAUTHBEARER. Basically your IMAP client has to have a way to obtain OAUTH tokens (e.g. spawn a web browser window first time you log in, that authenticates because it's a web browser, then get it to give you an OAUTH token) and it binds that token to your IMAP login as proof of who you are. Google also supports a non-standard older way to do this. Cheesy "my first IMAP implementation" code can't do this, but several Free Software mail clients do.
2. User goes into Google's security settings, says they agree to suffer worse security, gets "app password" minted by Google, fills that into the IMAP client. They can't use their "real" password which is presumably "password1" so the Pwned list doesn't work on this but it's not great.
But if you never set up any 2FA then it really wouldn't matter. Google's answer for their own employees was just to issue them FIDO Security Keys and mandate 2FA, and that's certainly what I'd endorse if you have money and want security, but their medium term plan is to enforce 2FA setup for users who seem to own e.g. a smartphone.
Every time I buy a new device and port my account, I get spam from Google saying, "You're new iPad isn't set up yet without the Gmail app! Get the Gmail app now or you won't be super duper cool!"
The big downside isn't really that people might lose their gift cards but that other horrible things could happen at scale 'cause who knows who the Gift Card Gang are really.
And the thing is here that the state, the broader authorities, are the only ones who have some incentive to act now about this. If it affected me, I'd shrug, I have no incentive. And the story everywhere with this is the state has become as short-term-ist as everyone else. And, what problems could possibly arise from that?? (posts and then checks outside for fire, poison gas and deadly disease).
The idea of the gang and the spammer going on about who should drop their pants first ("Please send us the gift card" – "No you send me your bank account information first") makes me chuckle.
This happened to my real estate agent. I got an email from her saying "I really need to get a (Google play gift card) for a friend who is a cancer patient.". That seemed super phishy, so I texted her, and she said her email was taken over.
This was a verizon.net account that was migrated to aol. The hacker had reset her email password and created a hotmail account in her name, and was forwarding all incoming mail to the account he controlled. She regained control of the account, but he still had an active session and was still sending out phishing emails. I tried to help her, but I could not find any way to have AOL sign out all active sessions..
If someone had copied your door key, and was breaking into your house each week to look for food, then you probably would want the police to change the lock. Or at least let you know you need to.
This just strikes me as a regulatory issue - we have to be able to trust our online services. As such, the level of security needs to be upped by fiat. Its not a popular idea but a FIDO key for everyone in US / Europe would be within the bounds of feasible in next 10 years. Hell just SMS 2FA would massively cut back on this.
No I don't want the cops to change my locks either - but imagine you lived in an apartment building whose rules that prevented say, adding a second lock. Even if you changed your lock, you could not give yourself the comfort of two-factor doors.
If there were tens of thousands of such apartments being burgled each day I would be surprised if the answer was not requiring landlords to raise their security standards.
Ultimately it frustrates me to find (yet another) area that criminal activity trivially siphons off cash to the extent we may as well call it a subsidy.
Whether they locked one if they found it unlocked, I do not know.
There are things people are personally responsible for.
Twenty police dig up and de-weed the allotment the next day, and everyone laughs.
Dishes not done of course :-)
I don't follow how this scam can be profitable. Are they reselling the gift card? I did not find mentioning that in the article.
Additionally, a quick google search for "sell gift cards online" reveals many sites that offer the ability to sell your gift cards. One example: https://www.cardcash.com/sell-gift-cards/
Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.
“These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill said. “You literally just pull cash out of peoples’ inboxes, and then you have all these secondary markets where you can sell this stuff.”
Outside of that, there's a huge grey market for "discounted" gift cards. That's probably where most of these are going.
And then even when they do pay you they could always tell paypal that the code didn't work.
The first scam email was Hey. Catching up. Follow up email was I'm in a bind tonight. Unexpected bad thing happened. Can you order this gift card and send it to my relative for me?
The initial phish was an bogus AOL email saying there's a system change coming up and the customer needs to log in and apply the change to their email account.
I now have 2FA from Comcast, but I get hacking emails daily. I don't care about the emails. They keep me up to date on the latest scam.
This email is not attached to anything important besides my doctor.
Is there something a Russian hacker could do with my email address? I said Russian because they told me they were Russian. 15 years ago I responded to a friendship ad on CL, and that's how I got on the sucker list.
Banks, hotels & a few airlines let you convert points to gift cards but the conversion rate for miles in particular is trash (less than $0.01 / mile).
Using them for an international business / first class flight can easily pass $0.05 and often $0.10 or $0.20 per mile, but this makes it easy for the airline to cancel & return the miles unless someone is flying same-day.