How did hackers get into our email system?
How did hackers get into our email system?
One of the first questions people ask after they’ve been hacked is “how did hackers get into our email system?”
Well, there are several ways a hacker can infiltrate your email account. Let’s explore some of them.
This is probably one of the most common routes of entry into an email system. It is a psychological trick which hackers use to get you to divulge your username and password.
Phishing attacks which use domain spoofing
You can fall for this by inadvertently inputting your email password into a bogus website or application, such as a fake Outlook Web App or Outlook 365 portal.
This happens a lot more than people think. For example, you might have received an email purporting to be from your email hosting provider (such as Microsoft Office365, Blacknight, GoDaddy or Hosting Ireland) warning you that your email inbox is full or that your email account is about to expire. This can shock some users into immediate action. After all, nobody wants their email account to expire! However, the domain hosting the login page that is needed to rectify the problem might have been spoofed or simply misspelt. For example, a domain like “office365-securelogin.com” could easily deceive a cognitively overloaded multi-tasking team member.
Phishing attacks where hackers send you an email attachment loaded with malware, which results in your email password getting stolen.
Another common ploy used by hackers is sending their targets an email along with an infected attachment. This attachment might be using any type of file extension file (such as .docx, .JAR file or .RAR) containing malicious code that records your keystrokes and sends them back to the hacker. For example, a user might open up an infected .doc file that launches a PowerShell script in Windows. This leads to a script being run which downloads malware.
Phishing is one of the principal ways in which malware gets installed onto a PC system or other computing device. Many of the largest data breaches in history started with a phishing attack. The victim is usually sent an email attachment or link. When you click on it, malware gets surreptitiously installed onto your system.
This software can record keystrokes, take screenshots, hijack your email address book and even record footage from your webcam or microphone, which enables the hacker to steal your email’s username and password. Malware can also get installed by the user downloading rogue applications, such as games, browser plugins or even rogue computer security apps.
While the types of phishing attack mentioned above are indiscriminate and propagated via spray-and-pray methods, some phishing attacks adopt a more focussed approach. In a spear-phishing attack, the hacker will do some research on your industry, your organisation or you to make their social engineering attack more personalised and authentic. For example, if a threat actor personalises an email to you by referencing your boss, it is more likely you will comply with their demands. According to independent studies, 30% of spear-phishing messages are opened and 12% of these users will click on the malicious attachment or link.
Hackers steal your email password by “pharming” you
When you visit a webpage (such as google.ie or office.com), it is the function of your router’s DNS (Domain Name System) server to convert the website name into an IP address, which directs your browser to the right webpage. However, sometimes hackers can “poison” the DNS settings of your router and redirect your web queries to non-genuine webpages. This type of attack is known as “pharming” and has the ability to steal your email address password. You can check if your router’s DNS settings have been altered by logging into its configuration page and looking under WAN settings.
You can also inadvertently install a malicious internet browser extension or plugin (for Chrome, Firefox, Edge etc) which steals your email password.
Browser extensions and plugins are sometimes malicious and can steal your data. Most of these browser extensions of plugins are very powerful because they request near-limitless powers over your computing device. However, users are accustomed to granting permissions to third-party applications on their computer or phone, so a lot will just click on “accept” as matter of course. Browser extensions promise to do all sorts of wonderful things, like translate webpages, manipulate images within the browser or promise to make downloading files from the internet faster and easier. Most of these plugins are fine, but they can be malicious in some cases and change the default search provider, modify search results, inject ads and steal your data.
Types of Malware that steal your email password
This software looks benign but is actually malicious. For example, a user might download a “free” tool to fix an issue with their PC. However, when they download it, the software starts to silently collect data (such as email addresses and passwords) from your system.
You might have inadvertently downloaded a Remote Access Trojan onto your computing device
A Remote Access Trojan (RAT) (also known as a backdoor trojan) gives the hacker active control over your computing device. They are typically sent to users by email using malspam or phishing campaigns.
The NanoCore RAT is a perfect example of a remote access trojan in action. The user gets emailed a malicious attachment such as an .ISO file. When they open it, the RAT is downloaded onto the computing device. Here, it can steal usernames and passwords stored in the browser cache of popular browsers such as Chrome and Firefox. It can also steal passwords stored in email clients such as Outlook and Thunderbird.
You can inadvertently download a “rootkit” onto your computing device which then steals your email password…
This looks like a genuine operating system file, application file or device driver but is, in fact, malicious. For example, you might decide to download a new device driver for your HP printer from an unofficial technical support site. However, the downloaded driver has been disguised as a device driver, when it is actually a user-mode data-stealing rootkit. Or, a kernel-mode rootkit might be hiding inside a common operating system process file, such as svchost.exe used in Windows environments. Many endpoint security packages have great difficulty detecting rootkits. Rootkits are propagated through compromised websites, emails and are sometimes physically distributed via USB drop attacks.
Your email account can also be infiltrated if it is protected by a weak password that enables a hacker to brute-force your email account…
If a weak password is used to secure your email account, it’s possible a hacker can “brute-force” their way in. This occurs when a hacker uses a database of thousands of commonly used passwords to try and gain access to your email account. For example, common passwords such as “Password2015”, “qwerty01” and first names (such as Janejack2010) are commonly pre-loaded into password cracking databases (rainbow tables) that are used by hackers.
A hacker may also execute a Password Reset Fraud attack on one of your email accounts which grants them access…
Hackers may get into your email account by fraudulently resetting your password. Even though two-factor authentication is required by many email providers during the password reset process to reset a password, hackers can sometimes circumvent this security control by using what is known as an SS7 attack. This is when the SMS messages commonly used by mobile providers during the password reset verification process are redirected to the hacker. So, the hacker can go and reset your password and the verification code is sent to them. They can then reset your email account password with any password they like and have full access to your email account. So much for two-factor authentication!
A hacker can execute a Sim Swap Fraud attack which enables them to access your email account…
Hackers can also thwart the two-factor authentication process used by email services providers by executing a sim swap fraud. This occurs when they socially-engineer an employee at your mobile phone company into redirecting calls and SMS messages to their own phone. Once the hacker has your password reset verification code, he can now go to your email account and initiate a password reset. The verification code is then sent directly to them. All the hacker has to do now is reset the password and they will have full control of your email account.
If you never update your device or software, you’ll be using out-dated hardware or software that will present hackers with an ideal opportunity.
The longer your software has been on the market, the more time hackers have to find vulnerabilities. Operating systems like Windows 7 or Windows 8 are now vulnerable to numerous “buffer overflow” attacks. Likewise, using an older version of Android or iOS leaves your mobile device vulnerable to attack. For example, many organisations could have saved themselves from the highly disruptive Wannacry (2017) ransomware attacks if they had applied a Windows security update, which had been released a few weeks before.
Your computing device or email account can also be compromised by a Watering-hole attack
Sometimes hackers decide to target employees in a particular industry. For example, if they want to target people working in the finance industry, they might compromise finance-themed websites and upload malware onto them. This is exactly what happened when the Polish Financial Supervisory Authority got hacked. Malware-laden documents were surreptitiously uploaded to the authority’s website that visitors then downloaded, which resulted in financial professionals across Poland inadvertently downloading the data-stealing malware onto their computers.
Your email password might have been stolen from another website (credential stuffing attack)…
Many users tend to reuse their passwords for logging on to multiple online services and websites. For example, if your hobby is beekeeping, you will frequently visit a beekeeping website to find out the latest trends in the world of bees. If you log in to this beekeeping website using the same password you use for your email account, hackers who have hacked the beekeeping website will have your email address and password, which they can now use. They can then input these stolen credentials into automated “password spraying” systems which will try to automatically login into various online services, including those of email providers, such as Office 365 and GSuite, in the hope of getting lucky. This is also referred to as “credential stuffing”. This explains why you should never reuse passwords and never use your work email account to register on non-work-related websites.
You might have used a compromised Wi-Fi networks
Hackers can set up rogue Wi-Fi networks to steal email passwords. These networks are often set up in public places and are given alluring names like “Free Wi-Fi” or “Guest Wi-Fi”. Once you are connected to them, you can have your data packets “sniffed” and captured. These so-called “man-in-the-middle” attacks also collect email usernames and passwords. Hackers can also hunt for wireless vulnerable wireless networks on “war-driving” expeditions, where they drive around business districts using a laptop rigged to hack wireless networks. As soon as a wireless network has been identified they use tools like Aircrack to infiltrate them.
Other ways hackers get your password…
When you are involved in cyber-attack post-mortems, it’s very important to cast a wide net regarding attack attribution.
It could be that your password has not been stored properly. For example, your email provider (such as your ISP) could have been involved in a security breach and they might not have stored your password security. Alternatively, you could have stored your email account password in plaintext on your phone, which got compromised by malware. In short, infiltrating an email account is an easier process than most people think as there is a multitude of ways that a hacker can get into your email system.
Common malware conduits used in attacks on Windows, MacOS, Android and iOS computing devices include:
Macros in Office Documents (.docx, .xlsx, xlsm or .pptx)
Infected device drivers (rootkit)
Flash (now deprecated)
Archive files (e.g. ACE, RAR, JAR, TAR, Zip, 7Zip)