Can Hackers Really Crack Yahoo/Hotmail/IM Passwords? By Arvind Clemente
Can Hackers Really Crack Yahoo/Hotmail or other IM Passwords? Is a question asked by many people who use these services for sending and receiving email. I have been asked on numerous occasions by people who want to recover Hotmail, Yahoo and other IM passwords. I do not do this type of work. Many of these people claim that they have lost their passwords because they have been hacked and now need to get their password back. I have spend considerable amount of time searching over the web, newsgroups and other underground sites for this type of information and I have found very little real information about the actual techniques that could be used to hack these services. So I have decided to put together a detailed explanation of the possibility of Hackers getting access to your Hotmail, Yahoo and other IM passwords. What follows is a detailed explanation of the methodologies involved and how to safeguard yourself. I do not condone any illegal activity and this article is a way of educating a common man of who and how their Hotmail, Yahoo and IM passwords could have been hacked. Locally Stored passwords: Most Web browsers, including Internet Explorer, Netscape, Opera etc, and Windows Dial-Up Connections allow you the option to store passwords on your local machine so that you do not need to enter the password each time you use the service. These passwords are stored on the local machine and (depending upon where and how it is stored) there is usually a method of recovering these passwords. Storing any password locally is insecure and may allow the password to be recovered by anyone who has access to the local machine. Software does exist that can recover most of the locally stored passwords. One such software is revelation where after installing the same shows you the hidden password the moment you move the cursor over the top of the masked password. To protect unauthorized disclosure of such information make sure you do not save the password on your local machine another way is to restrict your computer from unknown persons this can be controlled by feeding a password in the computer BIOS so that it asks for a password every time your system is restarted Trojan: A Trojan is a program that is sent to a user that allows an attacker to control functions of the target computer, recover information from the target or to delete or damage files on the target. The name Trojan is given because the program will usually come attached to some other program or file that entices you to run it. There are a wide variety of Trojans any number of which can be programmed to capture passwords as they are typed and to email or transmit them to a third party. To protect yourself against Trojans, you should never execute or download software or files that are not from a trusted source. It is critical that anyone working on internet use a virus protection program (which should catch most Trojans.) commonly known as Antivirus software. Also make sure that you update your virus definition files on a regular and timely manner. Note that since a Trojan requires the password to be typed or stored in order to be recovered, this is not an effective way to recover your own password. It could explain, however, how someone could lose their password to a hacker. Sending someone a Trojan program is certainly illegal. A Trojan is unlikely to be effective in recovering a particular account password since it requires the target to install it. However, hackers will often bulk mail Trojans to thousands of people in the hope that a small percentage will get caught. Keylogger: A keylogger is a program that records all keyboard keystrokes to an encrypted file which can then be read later. Based on the order of the keystrokes, it is usually easy to identify the password(s) from the file later. Like the Trojan, this also requires that someone actually type the password. Keylogger can be installed on a system by sending the keylogger as an attachment and enticing the user to run it. Again we require an antivirus software to protect against these. Most antivirus software recognize when the keylogger starts recording keystrokes. Hoax: Let's dispose of one technique that is absolutely a hoax. If you see a newsgroup post or web page with something like the following, it is a hoax. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- There is a simple way to get someone's hotmail or yahoo passwords. It involves tricking the server to change a person's password to your own. What happens is, when you change your password, you will have to go through a process of typing in your current password, and then type in the new password twice in order to confirm it. However, there are ways in tricking the system. When you do this, the information gets sent to the server. From there, it is stored in the ISP�s main computer memory. All this is done with an automatic system. There are currently 2 hackable ISPs that I have discovered: Hotmail, and Yahoo. To trick the server into thinking that you have changed the password, follow these steps. FOR HOTMAIL: 1. From your hotmail account, send an email to [EMAIL PROTECTED] 2. In the "Subject:" Type in exactly (without the quotes): "Password change confirmation" 3. Body of the email: In the top first line, type (without quotes) : "Line=0020001b" then press the enter key 4 times. 4. Type these in exactly on the 5th line of the letter (replace the things in brackets accordingly): [your email]<F000000001&a[the email of the person you want to hack]<009cfd=[your password of the account you are using]//confirm%rf#$ Send the email and wait 24 hours. If he or she hasn't logged in to that account during those 24 hours, you should be able to get into that person's hotmail account using your own password. If he or she did, you should receive an error message from the server. If this happens, just try again and hope they don't log in for 24 hours. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This is just a scam to steal your password and may explain some of the calls I get from people saying they were hacked. Never give your password to anyone. No legitimate web service or customer service representative will ask for it or need it. There is no magic email address or series of commands that will reveal the passwords of users. Impersonation: It is possible to impersonate a program on a computer by launching windows that look like something else. For instance, let's say you login to the Yahoo service. It would be possible for this website to pop-up some windows that look like something else. They could look almost identical to windows that an inexperienced user might expect from his local computer. The user could be fooled into submitting information to the hostile website. For example when a user types the URL http://login.yahoo.com he is redirected to a fake yahoo site which looks almost identical to the real one. The user then enters his username and password to access his email account at that point the fake site redirects you to the real yahoo.com site and again asks for your username and password. The user just feels that his username and password was entered incorrectly therefore he could not get access at the first instance. But in the background the fake site has already captured your username and password. If these could trick you into entering your password, then you could end-up sending your password to the attacker. To protect yourself against this type of attack, make sure you configure your browser for high security and enable warnings for any code that is executed on your system. Sniffing: If two people do not share the same computer, but do share the same network, it may be possible for one to sniff the others' packets as they sign-on. The traffic between your computer and the internet site you are accessing may be able to be recorded and decrypted or "played-back." This is not a simple attack to execute, but is possible if two people are close to one another and share a hub. Brute Force Attack: Many people want to find software to perform a brute-force attack. This is really impractical. It would take hundreds of thousands of years to attempt any kind of reasonable brute-force attack on Yahoo or Hotmail and this would expand exponentially if the password is longer than the minimum length. Using multiple computers or multiple sessions could reduce this to merely thousands of years. But even then one will need a fast internet access and 24x7 connectivity. More over It Yahoo and hotmail have security invoked than the account could be locked out after 4-5 times wrong password entry. Social Engineering: Social engineering is the name given to the art of tricking the person, The basic principle is that many people can be talked into giving someone else their id and password if they think it is someone that they can trust. For instance, I might call someone and say I was from Yahoo India and that I was finally getting around to responding to their technical support question. I would then ask you to describe the problem that you are having and tell you that we have a solution. However, I just need to verify the account. Can you give me the username and password again? A surprising number of people would fall for this obvious scam. There is no limit as to how elaborate this can be. The more information that is given by the caller, the more realistic or believable the call is. Again, never give your password to anyone. No legitimate customer service representative will ask for this information. In case genuine people who have lost their password or their account hacked using one of the techniques above can recover using the secret question that they had submitted when they had opened their account. For people who do not remember their secret question than the only option is to contact yahoo, hotmail or other IM providers, prove to them that you are really the person who owns that account and get it reactivated. For people who do not want to use these methods than the only alternative is to open a new account. ------------------------------------------------------------------------ Arvind Clemente is currently working for ControlNet India Pvt Ltd and into Internet Security and Computer forensics. Has a passion for GNULinux and can be contacted at arvind <at> controlnet.co.in ########################################################################## # Send submissions for Goanet to [EMAIL PROTECTED] # # PLEASE remember to stay on-topic (related to Goa), and avoid top-posts # # More details on Goanet at http://joingoanet.shorturl.com/ # # Please keep your discussion/tone polite, to reflect respect to others # ##########################################################################
