A new trend has emerged in the sending of malware. Spammers have significantly increased the use of compromised accounts (accounts who’s credentials are stolen or hacked) to send spam and malicious emails.
Having observed greater use of compromised accounts, Commtouch undertook primary research into the use of these accounts for sending spam. The research included the surveying of people whose accounts had been compromised.
This presentation is a condensed overview of the research report. It also includes tips for end users on how to prevent their accounts from being hacked or compromised.
2. About this Report:
The following is an condensed overview of end-user
research compiled by Commtouch to explore issues
related to the theft, usage and recovery of compromised
accounts. This document also includes tips for end users
on how to prevent their accounts from being hacked or
compromised is also included.
The complete report can be downloaded at
http://www.commtouch.com/hacked-accounts-
report-Oct2011
3. Background
Spammer are using compromised accounts (accounts
who’s credentials are stolen or hacked) to send spam
and malicious emails.
4. Background
Increased use of Compromised Gmail & Hotmail
Accounts in Q2 & Q3 2011
• Hotmail: 28-35% of the spam from Hotmail actually comes
from compromised or spammer Hotmail accounts
• Gmail: Mostly (96-97%) from zombies that simply forge
Gmail addresses
• Q3 2011 saw growth in use of Hotmail & Gmail
compromised accounts over Q2
Source: Commtouch
5. Introduction
Why the move by spammers to
Compromised Accounts
1. Antispam solutions are becoming better at blocking
botnets (IP reputation can typically block 85-95% of spam
based on IP).
2. Blocking of spam from compromised accounts is more
difficult as accounts often exist within whitelisted IP
address ranges (such as Hotmail or Gmail).
3. Although spammers can set up their own legitimate
accounts for sending spam, email providers obstruct this
phenomenon to the best of their ability.
4. Recipients are often more trusting of emails coming from a
known source.
6. Introduction cont…
There are some issues for spammers using
compromised accounts
• Compromised accounts can only be used for relatively small
spam runs of a few hundred or thousand messages without
being detected by the provider
• The accounts need to be compromised/hacked/stolen
before they can be used.
The result
• The new spammer tactic of using compromised accounts
generates smaller volumes of spam, but with better delivery
rates.
7. Goal of the Research
The research set out to understand the
following…
• What accounts are targeted?
• How are accounts compromised?
• Are compromised accounts used for other
purposes besides spam and scams?
• How do users figure out that their account has
been compromised?
• How do users regain control of their accounts?
9. 1. Which accounts were targeted
Participants were asked which of their account(s)
were compromised
Key Findings:
• Gmail, Yahoo, Hotmail & Facebook attracted 15-27% of
cybercriminals attention
Analysis:
• The value of a compromised account is in the “clean” IP
address, rather than the specific domain of the address.
• From this point of view, all accounts have a similar value
since they are from well-known domains.
10. 1. Which accounts were targeted
Survey Responses:
• Gmail
• Yahoo
• Hotmail
• Facebook
• Other
“Other” include users of AOL, Comcast
and other providers
11. 2. How was the account compromised
Participants were asked how their accounts were
compromised
Key Findings:
• Majority (62%) responded they were not sure
• 15% recalled using a public Internet terminal or public WiFi prior
to the hack.
• None of the respondents believed they had been phished or had
been victims of a drive-by download (by following a phony link).
Analysis:
• Many people typically engage in risky online behavior without
realizing
• It’s not always easy to figure out how an account gets
compromised and retracing steps does not always help.
• Likely many of victims simply used easy-to-guess passwords
12. 2. How was the account compromised
Survey Responses:
• I used a public computer or WiFi
network (e.g.: Internet café)
• I opened a file that might have
contained a virus (e.g.: an email
attachment that seemed
legitimate)
• I clicked on a link in an email
that was phony (e.g.: an email
from UPS or DHL with
information about a package for
you)
• I responded to a request to
provide my username and
password (someone “phished”
your details)
• I clicked on a link I received from
a friend in Facebook
• Not sure
• Other
13. 3. What was done with the
stolen accounts
Participants were asked what they believed was
done with their accounts
Key Findings:
• 54% said account was used to send out spam
• 12% said it was used in a “friend stuck overseas” scam (that
blatantly exploits the trust element)
• 23% did not know
Analysis:
• The value of a stolen account is twofold – it provides a clean IP
address, and in addition there is an element of trust that comes
with a message since it is (in most cases) received from a friend or
acquaintance
• Of the 23% of respondents that did not know how their
compromised account had been abused, it may be assumed that
these were used for a mix of spam and scams
14. 3. What was done with the
stolen accounts
Survey Responses:
• Used to send spam
promoting a product
• Used to ask my friends
to send me money
since I was “stuck in a
foreign country”
• Used to send a phony
message/wall post on
my Facebook account
• Not sure – I was just
told it was
compromised
• Other
15. 4. How were the account owners made
aware of the compromise
Participants were asked how they became aware
their account had been compromised
Key Findings:
• In 54% of the cases the compromised account owners learned of
the breach from their friends;
• 15% received an official email
• 31% responded “I noticed it myself”
Analysis:
• No one is as good at pointing out people’s errors as their own
friends (who also receive the spam and overseas scams)
• Users probably assume that Gmail, Yahoo, Hotmail and
Facebook are keeping an eye out for hacks and other bad stuff
• Some users might think that they will notice strange activity in
their account as soon as it happens
16. 4. How were the account owners made
aware of the compromise
Survey Responses:
• Friends told me after
receiving a strange email or
message
• Received an official email
from Gmail, Yahoo, Facebook
suggesting I change my
password
• I noticed strange activity
• Other
17. 5. What action did account owners take
to recover their accounts
Participants were asked what action they took to
recover their accounts
Key Findings:
• 42% solved the issue with just a password change
• 23% changed their password and ran an antivirus scan
• 23% did not do anything to remediate their account, and
believed this was a one off event
Analysis:
• The modern equivalent of “changing the locks” (i.e.,
changing password) seems to be key to regaining control of
an email account
18. 5. What action did account owners take
to recover their accounts
Survey Responses:
• Changed my password
• Ran a virus check
• Both of the above
• Nothing – it happened once
and seems to be OK now
• Other
Some of those who responded “other” had broached
the issue with their email provider.
19. Safety Tips to Protect Against
Being Compromised
1. Use passwords that are difficult to guess – no keyboard sequences
(qwerty, 1234qwer, etc.), no birthdates, no common names. Mix
numbers and capital letters.
2. Use different passwords for different sites.
3. Consider using a password manager that stores all you passwords,
generates new ones, and syncs them between your different PCs,
laptops, and tablets. Keep your master password complex and safe.
4. Think carefully before using a public Internet terminal. If you do need to
use one, remember to uncheck the “remember me” box when you log
into your email or Facebook. Also – don’t forget to log out and close the
browser window when you are finished.
5. Don’t open email attachments or click on links in emails you weren’t
expecting. Treat all unexpected attachments as malware even if they
appear to be “only” PDF, Word or Excel.
20. Safety Tips to Protect Against
Being Compromised cont…
6. Don’t follow links in Facebook that accompany some hysterical or
generic text such as “check this out!!!!!” or “Thought you might like
this!!”. Avoid Facebook links that promise some current event “scoop”
such as “Osama bin Laden death video!”.
7. To date, there is no Facebook application that allows you to see who has
been viewing your page – never follow any link that promises this
functionality.
8. Never respond to a request for your password – even if email looks
official or urgent.
9. If your email provider offers single-use passwords (for example as Gmail
does), implement it. In the case of Gmail, you can either download an
application to your mobile phone that generates a single-use password
(a string of random numbers that changes ever few seconds), or Google
will SMS your phone with the password. In this way, if someone is
determined to hack into your account, they will need to have access to
your mobile phone as well.
21. Download the complete
SPECIAL REPORT:
The State of Hacked Accounts
at
http://www.commtouch.com/hacked-accounts-
report-Oct2011