On 2021-11-17 at 03:10:13 UTC-0500 (Wed, 17 Nov 2021 09:10:13 +0100)
Hans-Martin Mosner via mailop <h...@heeg.de>
is rumored to have said:
Hi folks,
I'm trying to understand the root causes and vulnerabilities that lead
to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty
well, and we have an extensive list of network ranges whose owner are
spammers or knowingly accept spammers as customers.
So what mainly remains as spam sources are hacked servers/websites,
hacked mail accounts, and freemail accounts registered with the
purpose of spamming (I'm looking at you, Google).
Here I want to focus on hacked mail accounts. I can think of two major
root causes but I have no idea about their relative significance:
* Easily guessable passwords, with two subcauses for exploits:
o Brute force authentication attempts - I'm seeing them
regularly, and the most egregious networks (e.g.
5.188.206.0/24) are fully blocked at our mailserver, but some
mailops are less struct about blocking such abusers.
o Hashed password data exfiltration and cracking (for example
using JtR) these lists - this would work better with
weaker password hashing, but with weak passwords and some CPU
power it is probably possible even for strong hash
algorithms.
Who needs to bother with brute force "cracking" when so many passwords
are just out there for the taking? Many breaches of user data, even in
recent years, have included unhashed passwords. Based on my own informal
observations of multiple systems (some production, some more amenable to
careful instrumentation...) the constant stream of auth attempts is
mostly using username+password combinations that work *somewhere* or
that at least have worked at some point in the past. Phishing is also a
significant path of compromise, sometimes with very well-crafted phish
messages.
* Malware on client machines where passwords are either stored in a
password vault, or entered manually.
Theoretically possible. I know this was common in the past, but I don't
think it's currently a major activity. Of the users I've dealt with who
have had compromises, 0.00% have used a password manager and >90% reused
passwords and/or had pathologically weak passwords.
My gut feeling is that some organizations are especially prone to
hacked mail accounts. We're seeing lots of south american government
agency users, and many accounts at educational institutions. The
latter are often hosted using Microsoft O365 services, and I highly
suspect that weak passwords for all the freshly created student
accounts may be a major cause, although exfiltrated password data may
be a possibility, too.
Big and broadly trusted entities are attractive targets, especially if
they do some sort of federated authentication. No one is putting effort
into making a credible phish for a site with 20 users. In the case of
MS365 & Google, they attract a huge flow of phishes and
credential-stuffing of all the passwords that attackers find by other
means.
So does anyone have pointers to studies analyzing these (and probably
more) causes of exploited mail accounts?
No, but I also would be interested in something more rigorous than my
hunches and chance observations.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
