Re: [mailop] Is there any analysis on root causes of mail account break-ins?
On 11/17/21 9:12 PM, Jarland Donnell via mailop wrote: > If you can get the passwords that are going around in these database dumps and > compare them to email accounts in your system, test those passwords against > their email accounts using automation, and then force a password change it if > matches, I have been there, done that and got plenty of passwords changed by the attackers... But if you really want to go an extra mile, with such a list, what you may do is blocking your users from re-using their compromised passwords even with small transformations. I am using the Levenshtein algorithm (slightly modified) and allow new passwords only if the distance from any compromised password is "sufficient". > you are not only going to stop a ton of compromises you're probably > going to get a raise. It didn't work... François ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Another thing that people maybe haven't thought of, and it's actually a wider issue than just email password compromises. A lot of people just don't care that much about their password security. The thinking is "what's someone going to do if they can log into my email account and read my emails?" They don't think of the other potential consequences of having their password information leaked out. They don't consider the abuse that could happen when malicious users obtain this information. They see a password simply as a requirement to access their not-so-government-secret correspondence. So they choose a simple and easy to remember password. On Wed, Nov 17, 2021 at 2:17 PM Slavko via mailop wrote: > Hi, > > Dňa Wed, 17 Nov 2021 13:31:50 -0600 Scott Mutter via mailop > napísal: > > > Unless you are sending an encrypted password to your mail server (in > > which case, the compromiser still has the necessary to log into your > > email account) then this has to be decrypted some how by the email > > application. Again, if you're not entering anything to decrypt this > > then that means the necessary information to decrypt the encrypted > > stored password is on the system in some manner. > > I agree in principle, but it becomes real problem if that software is > used by 60 % of Internet users (hi Chrome), if it is used by 0,00x % > users, it must be really targeted attack, otherwise its success will be > very very low. > > Question remains, how valuable will be success targeted attack against > **regular** users -- IMO more theoretical than real (and some people > still consider me as paranoid ;-) ). > > regards > > -- > Slavko > https://www.slavino.sk > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
On 11/17/21 00:10, Hans-Martin Mosner via mailop wrote: Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance: * Easily guessable passwords, with two subcauses for exploits: o Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. o Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms. * Malware on client machines where passwords are either stored in a password vault, or entered manually. I think that you're missing the most common one, social engineering of the users via phishing. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
There's an idea I've been toying with for a long time, and it's not particularly revolutionary. But almost no one is doing it this specifically, and I think it would be an excellent show of competency for anyone willing to go that slightly extra mile. If you can get the passwords that are going around in these database dumps and compare them to email accounts in your system, test those passwords against their email accounts using automation, and then force a password change it if matches, you are not only going to stop a ton of compromises you're probably going to get a raise. There are sites out there that provide this information over APIs, or honestly the databases themselves are freely available on certain websites. A good white hat always know their way around black hat, and using it to the advantage and for the benefit of everyone sounds like a really good way to turn that trend around. On 2021-11-17 13:48, Hans-Martin Mosner via mailop wrote: Thanks everybody for your insights and additional thoughts to consider. Indeed I didn't think of the phishing and password re-use scenarios, which are certainly responsible for quite a number of mail account hacks. My goal is to have some possibilities to list when contacting admins of systems with compromised accounts, and it helps if I focus on those with highest probabilities. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Hi, Dňa Wed, 17 Nov 2021 13:31:50 -0600 Scott Mutter via mailop napísal: > Unless you are sending an encrypted password to your mail server (in > which case, the compromiser still has the necessary to log into your > email account) then this has to be decrypted some how by the email > application. Again, if you're not entering anything to decrypt this > then that means the necessary information to decrypt the encrypted > stored password is on the system in some manner. I agree in principle, but it becomes real problem if that software is used by 60 % of Internet users (hi Chrome), if it is used by 0,00x % users, it must be really targeted attack, otherwise its success will be very very low. Question remains, how valuable will be success targeted attack against **regular** users -- IMO more theoretical than real (and some people still consider me as paranoid ;-) ). regards -- Slavko https://www.slavino.sk pgpRSuoWg7Eyj.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Thanks everybody for your insights and additional thoughts to consider. Indeed I didn't think of the phishing and password re-use scenarios, which are certainly responsible for quite a number of mail account hacks. My goal is to have some possibilities to list when contacting admins of systems with compromised accounts, and it helps if I focus on those with highest probabilities. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
>If one use good email client/browser, locally stored passwords are not a > problem as they are encrypted Unless you are sending an encrypted password to your mail server (in which case, the compromiser still has the necessary to log into your email account) then this has to be decrypted some how by the email application. Again, if you're not entering anything to decrypt this then that means the necessary information to decrypt the encrypted stored password is on the system in some manner. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Ahoj,
Dňa Wed, 17 Nov 2021 11:51:46 -0600 Scott Mutter via mailop
napísal:
> Don't forget local compromises - keyloggers, spyware, and other
> malware - running on an end-user's system.
If one use good email client/browser, locally stored passwords are not a
problem as they are encrypted:
{AES-256-CBC,5}nzTZHRh...snip...2sbjH9/O/XoG
If you have passwords stored in plaintext, no malware is needed, as
some OS are posting all personal files to its vendor, often hidden as
telemetry, and often cannot be fully disabled... But when you cannot
believe your OS, then no "telemetry" is needed, as OS can see all your
typing anyway...
No, i do not want to tell, that these OS's vendors are participating on
passwords leaks, but these files can be stolen from them by attackers
or employees (they are people too).
And if someone provides, in these days, still plain access (110/tcp,
143/tcp, 25/tcp with or without STARTTLS) for you (do not matter if
as primary or as fallback only), nobody have to care about files in your
PC.
regards
--
Slavko
https://www.slavino.sk
pgpIO_s_4qkzG.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Don't forget local compromises - keyloggers, spyware, and other malware - running on an end-user's system. If you are checking your email with an email client and not entering your password every time you check for mail (which most of us don't do) then the password to your email is stored some where locally on your system. A crafted piece of malware can get the password that way. If you're checking your email via webmail and you're not typing in your password every time you log in, i.e. it's stored in your browser... then the password is stored some where locally on your system. A crafted piece of malware could find that password as well. On Wed, Nov 17, 2021 at 11:21 AM John Levine via mailop wrote: > It appears that Bill Cole via mailop said: > >Who needs to bother with brute force "cracking" when so many passwords > >are just out there for the taking? > > Botnets. My MTA accepts any login, says it works, and directs any > subsequent mail > to the spamtrap. Here's attempts from the last 20 minutes. Some of those > logins > are related to actual addresses here, some are just random. > > 2021-11-17 11:55:34.713814500 mailfront[19253]: Fake login hsttbhpvx / > hsttbh123 > 2021-11-17 11:55:59.927913500 mailfront[19323]: Fake login leonard@c / > leonar123 > 2021-11-17 11:57:13.664694500 mailfront[19603]: Fake login bob2@bob / > bob22020 > 2021-11-17 11:57:19.972595500 mailfront[19614]: Fake login webmaster / > webmas123 > 2021-11-17 11:57:24.721663500 mailfront[19622]: Fake login mcknight. / > mcknig123 > 2021-11-17 11:57:49.227991500 mailfront[19676]: Fake login 1993jul19 / > 1993ju123 > 2021-11-17 11:57:59.733940500 mailfront[19696]: Fake login saudadesd / > saudad123 > 2021-11-17 11:58:32.167072500 mailfront[19806]: Fake login dofcowsou / > dofcow123 > 2021-11-17 11:58:48.499845500 mailfront[19849]: Fake login xxuqtby@l / > xxuqtb123 > 2021-11-17 11:59:15.775566500 mailfront[19933]: Fake login larisaxdv / > larisa123 > 2021-11-17 11:59:19.308656500 mailfront[19937]: Fake login stratfor@ / > stratf123 > 2021-11-17 11:59:27.927226500 mailfront[19960]: Fake login areferker@iec > / areferker2020 > 2021-11-17 11:59:40.918734500 mailfront[20024]: Fake login postmaste / > postma123 > 2021-11-17 11:59:55.085884500 mailfront[20061]: Fake login spayeddbe / > spayed123 > 2021-11-17 12:01:19.801787500 mailfront[20349]: Fake login bobrisks@bob / > bobrisks2020 > 2021-11-17 12:01:28.290702500 mailfront[20362]: Fake login asrg@joh / > asrg2020 > 2021-11-17 12:02:13.205276500 mailfront[20537]: Fake login bobf@fra / > bobf2020 > 2021-11-17 12:02:22.114495500 mailfront[20581]: Fake login airliners / > airlin123 > 2021-11-17 12:02:52.691619500 mailfront[20704]: Fake login postmaste / > postma123 > 2021-11-17 12:03:25.757517500 mailfront[20839]: Fake login postmaste / > postma123 > 2021-11-17 12:03:47.168752500 mailfront[20891]: Fake login jonathon@ / > jonath123 > 2021-11-17 12:04:03.789002500 mailfront[20934]: Fake login info@zeu / > password > 2021-11-17 12:04:15.674974500 mailfront[20970]: Fake login obnoxious / > obnoxi123 > 2021-11-17 12:04:57.635122500 mailfront[21150]: Fake login kseniyawx / > kseniy123 > 2021-11-17 12:05:18.170965500 mailfront[21242]: Fake login xwmhdral@ / > xwmhdr123 > 2021-11-17 12:05:36.038108500 mailfront[21305]: Fake login asrg@bob / > asrg2020 > 2021-11-17 12:07:38.065773500 mailfront[21776]: Fake login as@zeu / as2020 > 2021-11-17 12:08:00.444663500 mailfront[21851]: Fake login aalter@bobf / > aalter@1234 > 2021-11-17 12:08:05.554393500 mailfront[21858]: Fake login andrewjnash@iec > / andrewjnash2020 > 2021-11-17 12:08:08.867614500 mailfront[21872]: Fake login anna12550@zeu > / anna125502020 > 2021-11-17 12:08:30.686983500 mailfront[21995]: Fake login approval@iec / > approval2020 > 2021-11-17 12:08:52.278898500 mailfront[22082]: Fake login arsenii@iecc / > arsenii@1234 > 2021-11-17 12:09:10.315914500 mailfront[22140]: Fake login yuliafrwy / > yuliaf123 > 2021-11-17 12:09:42.345135500 mailfront[22207]: Fake login postmaste / > postma123 > 2021-11-17 12:10:08.705233500 mailfront[22327]: Fake login atlantic@ / > atlant123 > 2021-11-17 12:11:16.344928500 mailfront[22478]: Fake login pistols@c / > pistol123 > 2021-11-17 12:11:29.804099500 mailfront[22512]: Fake login webmaster / > webmas123 > 2021-11-17 12:11:55.193699500 mailfront[22605]: Fake login bobmarly@bob / > bobmarly2020 > 2021-11-17 12:12:25.315811500 mailfront[22690]: Fake login travelmol / > travel123 > 2021-11-17 12:12:25.576148500 mailfront[22675]: Fake login approve@tel / > approve2020 > 2021-11-17 12:12:48.556795500 mailfront[22734]: Fake login 299.13@ / > 13@1234 > 2021-11-17 12:13:45.074059500 mailfront[22933]: Fake login costcentr / > costce123 > 2021-11-17 12:14:57.807258500 mailfront[23156]: Fake login barryjoe0 / > barryj123 > 2021-11-17 12:16:11.739180500 mailfront[23449]: Fake login alison@iec / > alison2020 > 2021-11-17 12:16:15.895229500 mailfront[23482]: Fake login shannoncb / > shanno123 > 2021-11-17 12:16:3
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
It appears that Bill Cole via mailop said: >Who needs to bother with brute force "cracking" when so many passwords >are just out there for the taking? Botnets. My MTA accepts any login, says it works, and directs any subsequent mail to the spamtrap. Here's attempts from the last 20 minutes. Some of those logins are related to actual addresses here, some are just random. 2021-11-17 11:55:34.713814500 mailfront[19253]: Fake login hsttbhpvx / hsttbh123 2021-11-17 11:55:59.927913500 mailfront[19323]: Fake login leonard@c / leonar123 2021-11-17 11:57:13.664694500 mailfront[19603]: Fake login bob2@bob / bob22020 2021-11-17 11:57:19.972595500 mailfront[19614]: Fake login webmaster / webmas123 2021-11-17 11:57:24.721663500 mailfront[19622]: Fake login mcknight. / mcknig123 2021-11-17 11:57:49.227991500 mailfront[19676]: Fake login 1993jul19 / 1993ju123 2021-11-17 11:57:59.733940500 mailfront[19696]: Fake login saudadesd / saudad123 2021-11-17 11:58:32.167072500 mailfront[19806]: Fake login dofcowsou / dofcow123 2021-11-17 11:58:48.499845500 mailfront[19849]: Fake login xxuqtby@l / xxuqtb123 2021-11-17 11:59:15.775566500 mailfront[19933]: Fake login larisaxdv / larisa123 2021-11-17 11:59:19.308656500 mailfront[19937]: Fake login stratfor@ / stratf123 2021-11-17 11:59:27.927226500 mailfront[19960]: Fake login areferker@iec / areferker2020 2021-11-17 11:59:40.918734500 mailfront[20024]: Fake login postmaste / postma123 2021-11-17 11:59:55.085884500 mailfront[20061]: Fake login spayeddbe / spayed123 2021-11-17 12:01:19.801787500 mailfront[20349]: Fake login bobrisks@bob / bobrisks2020 2021-11-17 12:01:28.290702500 mailfront[20362]: Fake login asrg@joh / asrg2020 2021-11-17 12:02:13.205276500 mailfront[20537]: Fake login bobf@fra / bobf2020 2021-11-17 12:02:22.114495500 mailfront[20581]: Fake login airliners / airlin123 2021-11-17 12:02:52.691619500 mailfront[20704]: Fake login postmaste / postma123 2021-11-17 12:03:25.757517500 mailfront[20839]: Fake login postmaste / postma123 2021-11-17 12:03:47.168752500 mailfront[20891]: Fake login jonathon@ / jonath123 2021-11-17 12:04:03.789002500 mailfront[20934]: Fake login info@zeu / password 2021-11-17 12:04:15.674974500 mailfront[20970]: Fake login obnoxious / obnoxi123 2021-11-17 12:04:57.635122500 mailfront[21150]: Fake login kseniyawx / kseniy123 2021-11-17 12:05:18.170965500 mailfront[21242]: Fake login xwmhdral@ / xwmhdr123 2021-11-17 12:05:36.038108500 mailfront[21305]: Fake login asrg@bob / asrg2020 2021-11-17 12:07:38.065773500 mailfront[21776]: Fake login as@zeu / as2020 2021-11-17 12:08:00.444663500 mailfront[21851]: Fake login aalter@bobf / aalter@1234 2021-11-17 12:08:05.554393500 mailfront[21858]: Fake login andrewjnash@iec / andrewjnash2020 2021-11-17 12:08:08.867614500 mailfront[21872]: Fake login anna12550@zeu / anna125502020 2021-11-17 12:08:30.686983500 mailfront[21995]: Fake login approval@iec / approval2020 2021-11-17 12:08:52.278898500 mailfront[22082]: Fake login arsenii@iecc / arsenii@1234 2021-11-17 12:09:10.315914500 mailfront[22140]: Fake login yuliafrwy / yuliaf123 2021-11-17 12:09:42.345135500 mailfront[22207]: Fake login postmaste / postma123 2021-11-17 12:10:08.705233500 mailfront[22327]: Fake login atlantic@ / atlant123 2021-11-17 12:11:16.344928500 mailfront[22478]: Fake login pistols@c / pistol123 2021-11-17 12:11:29.804099500 mailfront[22512]: Fake login webmaster / webmas123 2021-11-17 12:11:55.193699500 mailfront[22605]: Fake login bobmarly@bob / bobmarly2020 2021-11-17 12:12:25.315811500 mailfront[22690]: Fake login travelmol / travel123 2021-11-17 12:12:25.576148500 mailfront[22675]: Fake login approve@tel / approve2020 2021-11-17 12:12:48.556795500 mailfront[22734]: Fake login 299.13@ / 13@1234 2021-11-17 12:13:45.074059500 mailfront[22933]: Fake login costcentr / costce123 2021-11-17 12:14:57.807258500 mailfront[23156]: Fake login barryjoe0 / barryj123 2021-11-17 12:16:11.739180500 mailfront[23449]: Fake login alison@iec / alison2020 2021-11-17 12:16:15.895229500 mailfront[23482]: Fake login shannoncb / shanno123 2021-11-17 12:16:30.859248500 mailfront[23659]: Fake login as1994oct / as1994123 2021-11-17 12:16:57.007395500 mailfront[23691]: Fake login isocmembe / isocme123 2021-11-17 12:17:04.555398500 mailfront[23713]: Fake login hopkins@c / hopkin123 2021-11-17 12:17:11.761031500 mailfront[23733]: Fake login hostmaste / hostma123 2021-11-17 12:18:10.497572500 mailfront[23944]: Fake login hostmaster@ / Hostma12345 I agree that reuse and phishing are likely to be more productive. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
On 2021-11-17 at 03:10:13 UTC-0500 (Wed, 17 Nov 2021 09:10:13 +0100) Hans-Martin Mosner via mailop is rumored to have said: Hi folks, I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly accept spammers as customers. So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts registered with the purpose of spamming (I'm looking at you, Google). Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance: * Easily guessable passwords, with two subcauses for exploits: o Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. o Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms. Who needs to bother with brute force "cracking" when so many passwords are just out there for the taking? Many breaches of user data, even in recent years, have included unhashed passwords. Based on my own informal observations of multiple systems (some production, some more amenable to careful instrumentation...) the constant stream of auth attempts is mostly using username+password combinations that work *somewhere* or that at least have worked at some point in the past. Phishing is also a significant path of compromise, sometimes with very well-crafted phish messages. * Malware on client machines where passwords are either stored in a password vault, or entered manually. Theoretically possible. I know this was common in the past, but I don't think it's currently a major activity. Of the users I've dealt with who have had compromises, 0.00% have used a password manager and >90% reused passwords and/or had pathologically weak passwords. My gut feeling is that some organizations are especially prone to hacked mail accounts. We're seeing lots of south american government agency users, and many accounts at educational institutions. The latter are often hosted using Microsoft O365 services, and I highly suspect that weak passwords for all the freshly created student accounts may be a major cause, although exfiltrated password data may be a possibility, too. Big and broadly trusted entities are attractive targets, especially if they do some sort of federated authentication. No one is putting effort into making a credible phish for a site with 20 users. In the case of MS365 & Google, they attract a huge flow of phishes and credential-stuffing of all the passwords that attackers find by other means. So does anyone have pointers to studies analyzing these (and probably more) causes of exploited mail accounts? No, but I also would be interested in something more rigorous than my hunches and chance observations. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
Yes, people do research these things.. (Which reminds me, I do have to finish that blog post on Best Practices for ISP's and Telco's) Fortunately, we not only provide email servers, but we have a threat division as well, so we take a lot of time to look into these issues. I will send you a draft off list, but for instance.. * Did you know? Turning off POP 110 will reduce email compromises by up to 90%? No matter how secure/tough your passwords are, if it is sent plain text, it's not if but when it will be compromised. Too many network devices and IoT's are compromised, and running sniffers.. Most compromises are because of 'sniffing', password reuse, phishing, and malware which steals passwords on the devices. Very little real brute force occurs, when there are easier ways. Of course you should have at least a minimal password strength enforcement. While any 8 character password hash can be broken in mere minutes, to actually brute force that many combinations will quickly be detected, and rate limiters pretty well rule that out. Fix the simple things first.. hackers like the easy targets. -- Michael -- On 2021-11-17 5:24 a.m., Francois Petillon via mailop wrote: On 11/17/21 9:10 AM, Hans-Martin Mosner via mailop wrote: Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance: * Easily guessable passwords, with two subcauses for exploits: o Brute force authentication attempts - I'm seeing them regularly, Are you sure it is really *full brute* force attemps and not a *password reuse* attack ? Some of my users have dozens of passwords compromised and an attacker have plenty of information about : 1/ what are the usual password used for an email 2/ what kind of transformations are applied by its user. so that attackers might dramatically limit the volume of trials needed for that kind of attack. Just an example, one of my users have that kind of compromised passwords in "public" lists (some letters have been changed and this account has been disabled for a few years) : - Yt6j8mxx - 123ytm - ytjm0 - Yt6j8M - Yt7j6M - yyt6j8M - yt6j8mm - 123yt6j8m - yt6j8mz - yt6j8mq - yt6j8ma - yt6j8m9 - yt6j8m8 - yt6j8m777 - yt6j8m7 - yt6j8m6 [...] As an attacker, I would try to 1/check each of these passwords 2/ find the most common roots of these passwords and brute force only using usual transformations (in this example, there are case transformations, adding "123" at the beginning, adding a single character at the end, adding several time the same character at the end). I usually see "slow and low" attacks (one password checked per account, per IP and per day) and real brute force attacks are quite uncommon on the mail servers I manage. and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. IMHO, the main issue is not really about blocking abusers but being able to identify compromised accounts. * Malware on client machines where passwords are either stored in a password vault, or entered manually. You are missing pĥishing attacks and probably compromised servers. My gut feeling is that some organizations are especially prone to hacked mail accounts. We're seeing lots of south american government agency users, and many accounts at educational institutions. I am afraid the issue is broader than that. Yes, there are many issues with educational institutions (I have seen that kind of cases from all over the world) but I also have seen compromised accounts used to spam from small enterprises (real estates, plumbers, architects, etc.) The latter are often hosted using Microsoft O365 services, I would say O365 is probably a catalyst and probably not the cause. What you sees usually are the spams. This means the spammer was able to know how to identify compromised accounts *and* he was able to know how to send mails. With any domain using O365, spammers already have all the needed information. The (french banks) phishings I used to receive only from O365 are now also sent directly from servers hosted at universities. I even have received a scam sent from a compromised account at a french ministry. and I highly suspect that weak passwords for all the freshly created student accounts may be a major cause, although exfiltrated password data may be a possibility, too. Brute force on weak passwords seems to be unlikely to me as long as you are using network services. I would think the main issue is passwords reuses. François ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Com
Re: [mailop] Is there any analysis on root causes of mail account break-ins?
On 11/17/21 9:10 AM, Hans-Martin Mosner via mailop wrote: > Here I want to focus on hacked mail accounts. I can think of two major root > causes but I have no idea about their relative significance: > * Easily guessable passwords, with two subcauses for exploits: > o Brute force authentication attempts - I'm seeing them regularly, Are you sure it is really *full brute* force attemps and not a *password reuse* attack ? Some of my users have dozens of passwords compromised and an attacker have plenty of information about : 1/ what are the usual password used for an email 2/ what kind of transformations are applied by its user. so that attackers might dramatically limit the volume of trials needed for that kind of attack. Just an example, one of my users have that kind of compromised passwords in "public" lists (some letters have been changed and this account has been disabled for a few years) : - Yt6j8mxx - 123ytm - ytjm0 - Yt6j8M - Yt7j6M - yyt6j8M - yt6j8mm - 123yt6j8m - yt6j8mz - yt6j8mq - yt6j8ma - yt6j8m9 - yt6j8m8 - yt6j8m777 - yt6j8m7 - yt6j8m6 [...] As an attacker, I would try to 1/check each of these passwords 2/ find the most common roots of these passwords and brute force only using usual transformations (in this example, there are case transformations, adding "123" at the beginning, adding a single character at the end, adding several time the same character at the end). I usually see "slow and low" attacks (one password checked per account, per IP and per day) and real brute force attacks are quite uncommon on the mail servers I manage. > and the most egregious networks (e.g. > 5.188.206.0/24) are fully blocked at our mailserver, but some mailops > are > less struct about blocking such abusers. IMHO, the main issue is not really about blocking abusers but being able to identify compromised accounts. > * Malware on client machines where passwords are either stored in a password > vault, or entered manually. You are missing pĥishing attacks and probably compromised servers. > My gut feeling is that some organizations are especially prone to hacked mail > accounts. We're seeing lots of south american government agency users, and > many > accounts at educational institutions. I am afraid the issue is broader than that. Yes, there are many issues with educational institutions (I have seen that kind of cases from all over the world) but I also have seen compromised accounts used to spam from small enterprises (real estates, plumbers, architects, etc.) > The latter are often hosted using Microsoft O365 services, I would say O365 is probably a catalyst and probably not the cause. What you sees usually are the spams. This means the spammer was able to know how to identify compromised accounts *and* he was able to know how to send mails. With any domain using O365, spammers already have all the needed information. The (french banks) phishings I used to receive only from O365 are now also sent directly from servers hosted at universities. I even have received a scam sent from a compromised account at a french ministry. > and I highly suspect that weak passwords for all the > freshly created student accounts may be a major cause, although exfiltrated > password data may be a possibility, too. Brute force on weak passwords seems to be unlikely to me as long as you are using network services. I would think the main issue is passwords reuses. François ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Is there any analysis on root causes of mail account break-ins?
Hi folks, I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly accept spammers as customers. So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts registered with the purpose of spamming (I'm looking at you, Google). Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their relative significance: * Easily guessable passwords, with two subcauses for exploits: o Brute force authentication attempts - I'm seeing them regularly, and the most egregious networks (e.g. 5.188.206.0/24) are fully blocked at our mailserver, but some mailops are less struct about blocking such abusers. o Hashed password data exfiltration and cracking (for example using JtR) these lists - this would work better with weaker password hashing, but with weak passwords and some CPU power it is probably possible even for strong hash algorithms. * Malware on client machines where passwords are either stored in a password vault, or entered manually. My gut feeling is that some organizations are especially prone to hacked mail accounts. We're seeing lots of south american government agency users, and many accounts at educational institutions. The latter are often hosted using Microsoft O365 services, and I highly suspect that weak passwords for all the freshly created student accounts may be a major cause, although exfiltrated password data may be a possibility, too. So does anyone have pointers to studies analyzing these (and probably more) causes of exploited mail accounts? Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
