Why am I being Spammed? How are they Hacking me?

Don’t you hate it when you get the same spam messages day after day? Have you ever been a victim of your account(s) being hacked? How does an average person with basic internet skills avoid such outcomes? Of course, we know ‘hackers’ or ‘cyber criminals’ are the culprits behind such malicious activities. However, we usually leave it at that and don’t dig into what exactly enables these actors to partake in such activities, seemingly with ease. Let’s dig into a few ways that a hacker goes from sitting on their butt in front of a computer to delivering garbage into your inbox, and worse, taking over your account.

Can you defend yourself against someone with such a clean desk?

Data Breaches

Let’s start with how a hacker finds you. A quick glance at a list of data breaches and you may be shocked at what you see. Equifax 143 million records, Uber 57 million, United States Postal Service 60 million, Under Armour 150 million, Facebook 50 million, Marriott International 500 million, and the list goes on. As you can see, it’s not just small companies with a limited budget to spend on security that are being exposed; these are large entities with millions of users. Just google search ‘verification.io’, and we see reports stating this company has exposed 800+ million, some even stating 2 billion records within the last month! The truth is, when you sign up for your favorite clothing line’s newsletter, or Facebook, or even something seemingly safe as a government entity, most of these companies have in one way or another fallen victim to negligence or poor security practices. Given this, it is absolutely not a surprise that hackers have your information and you will eventually be targeted, if not already. A recurring thought here is: who is responsible for my (stolen? mishandled?) data?

If your account holds sensitive information, take the steps to protect it!

Olga is emailing me again.. my girlfriend is going to kill me!

All that Spam

Now that they have your information (email address, perhaps paired with your real name, interests, or other personal details), here comes the never ending wave of spam. Got your information breached at a medical institute? Now you might get spam for medication that you need. The people who can’t afford medication and look for cheaper alternatives get preyed on, which could lead to fatal results. You can bet that a few of those hundreds of millions of records use popular services such as Netflix, Apple, Paypal, etc.; now here come fake invoices or account alerts from those services loaded with malware or phishing attempts. Those data breaches that expose not only your email address, but your password too? Don’t get me started.. *cough sextortion cough*. Spammers have easy access to personal information that allow them to improve their spam game.

Always, always, ALWAYS be sure to double-check the path of the link you’re about to click. Either hover over it, or right click and copy link location.

Good ol’ ‘1234’

Authentication Attacks

We have been seeing an increasing trend towards botnet authentication attacks. This is when hackers attempt to gain login access to your account in various different ways. The main methods are brute forcing, dictionary attacks, password spraying, and credential stuffing.

Brute forcing is the most basic way, and is sometimes used as an umbrella term for these password guessing attacks. Brute forcing attempts to guess your password with a constant barrage of every combination/permutation it could think of. This type of password guessing is more effective when the password a system allows is more restricted, such as a 5 digit pin. In other words, this method is not very effective against more complex password strings.

Dictionary attacks are slightly more methodical than brute force attacks. This kind of attack would use, for an obvious example, a dictionary of words to guess your password. It may also have slight variations such as adding a number at the beginning or end of the word, or combining multiple words together.

Password spraying attacks narrow down their password guessing by using a list of the most commonly used passwords. Unfortunately, this method does find success, and from what we see is a very common technique.

Lastly credential stuffing attacks stem from data breaches where the information that is leaked includes a user’s password. This kind of breach is particularly bad, as it is very common that people reuse their passwords for different accounts. Even worse, people may reuse username/password combinations. Credential stuffing attacks will try to log into various different services using your username and password in an attempt to compromise your accounts.

Re-using passwords at more than one place is NEVER a good idea.

Knowing is not enough; implement!

How Do I Defend Myself?

Now you may be wondering, am I screwed? How do I protect myself when they already have my information? Here are two ways to look at preventing account compromise: by the end user and by the service provider.

Don’t just add a number to the end of your old password… hackers try that first!

The end user can of course, use strong passwords. You can check websites such as ‘haveibeenpwned.com’ to see whether your email address has been a part of past data breaches. Reusing passwords for multiple different accounts is a bad idea. Some products (such as MagicMail) allow you to restrict login access to your account based on, for example, the country that the IP is logging in from. For the more security-minded folks, you can also restrict access to only allow authorized devices to login to your account. Essentially, the bare minimum when it comes to setting up your email account is not enough, and the end user’s best option is to educate themselves. Unfortunately, the end user would not know whether or not their account is currently being brute forced as they typically don’t have access to this information. When was the last time you received an email from your provider warning you that IPs around the world are attempting to access your account? Usually you would only get a ‘password reset’ notification AFTER your account is successfully compromised…

Is it enough for providers to act after the fact? More proactive measures need to be taken.

The service provider needs to be more proactive in stopping this activity. However, it is (slightly) understandable that providers are extremely busy handling other things. End users can only complain about what they can see; spam, malware, unwanted/unsolicited marketing, emails not sending, emails not received, etc. Perhaps service providers are so focused on making their customers happy in this area that they neglect other aspects of security. This should not be an excuse though, at least for the larger companies, because they have both the resources and the data to detect and respond to botnets attempting to crack into peoples’ accounts. At the very least, providers should not allow their customers to use passwords that are found in any breach or common password lists.

Concluding Remarks

In this industry of email services, there seems to be some irony when it comes to communication. People with the data will ask themselves, ‘how do I make money from this?’ People who try to share the data for the greater good must ponder ‘can this information help the bad guys as well?’

This isn’t real life. There are no warning signs when you cross the road on the internet.

Who is ultimately responsible for your data? Instead of wasting time trying to point fingers after having suffered from a loss, perhaps people (especially the ones with sensitive information that needs to be protected) need to take it into their own hands. People take the digital world for granted in comparison to the real world. In real life, you can observe a man with a weapon and be wary. If you see a deranged look on their face, you will become even more cautious. In other words, you have the knowledge to detect and respond to danger in real life. Online, you can not see the danger. Even if you did, you may not be able to identify what weapon they are holding in the first place. Even if you can identify their weapon, what steps do you need to take to avoid the danger? When it comes to threat, more emphasis needs to be made in educating ‘common sense’ into people with regards to the digital world.

This entry was posted in Informative, Uncategorized and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply