One of the most-viewed stories on this site is a blog post+graphic that I put together last year to illustrate the ways that bad guys can monetize hacked computers. But just as folks who don’t bank online or store sensitive data on their PCs often have trouble understanding why someone would want to hack into their systems, many people do not fully realize how much they have invested in their email accounts until those accounts are in the hands of cyber thieves.
This post aims to raise awareness about the street value of a hacked email account, as well as all of the people, personal data, and resources that are put at risk when users neglect to properly safeguard their inboxes.
Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email.
How much are these associated accounts worth? There isn’t exactly a central exchange for hacked accounts in the cybercrime underground, but recent price lists posted by several miscreants who traffic in non-financial compromised accounts offer some insights.
One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.
As I’ve noted in previous stories, some crime shops go even lower with their prices for hacked accounts, charging between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few.
Even if your email isn’t tied to online merchants, it is probably connected to other accounts you care about. Hacked email accounts are not only used to blast junk messages: They are harvested for the email addresses of your contacts, who can then be inundated with malware spam and phishing attacks. Those same contacts may even receive a message claiming you are stranded, penniless in some foreign country and asking them to wire money somewhere.
If you’ve purchased software, it’s likely that the license key to that software title is stored somewhere in your messages. Do you use online or cloud file-storage services like Dropbox, Google Drive or Microsoft Skydrive to backup or store your pictures, files and music? The key to unlocking access to those files also lies in your inbox.
If your inbox was held for ransom, would you pay to get it back? If your Webmail account gets hacked and was used as the backup account to receive password reset emails for another Webmail account, guess what? Attackers can now seize both accounts.
If you have corresponded with your financial institution via email, chances are decent that your account will eventually be used in an impersonation attempt to siphon funds from your bank account.
Until recently, some of the Web’s largest providers of online services offered little security beyond a username and password. Increasingly, however, the larger providers have moved to enabling multi-factor authentication to help users avoid account compromises. Gmail.com, Hotmail/Live.com, and Yahoo.com all now offer multi-step authentication that users can and should use to further secure their accounts. Dropbox, Facebook and Twitter also offer additional account security options beyond merely encouraging users to pick strong passwords.
Of course, all of this additional security can be defeated if the bad guys gain control over your machine through malicious software. To keep your computer from being compromised, consider adopting some of the recommendations in my Tools for a Safer PC primer.
You forgot to add a little espionage/NSA section in the diagram…;-)
and Russian, Pakistan, Iran, and Chinese espionage as well….. who have way more of a presence online then the USA does.
Piss off you ignorant american scum
Really? How eloquent of you to purvey your thoughts. I can’t imagine how well you do in real life.
Except they don’t really need to do any hacking to get your stuff.
They just logon to the server.
Thats actually not true. If your talking about the false reports by Glen Greenwald….the only reporter who has yet to correct his reporting on this.
In regards to google, yahoo etc… They are not hacking…and they are not directly logging into their servers either. They are asking for the data, and the companies are handing it right over.
Not to say that the NSA isn’t hacking people….
But I’m more worried about Timothy Thorn hacking me…lol
There is nothing whatever false in Glenn Greenwald’s reports.
Specifically, the term “direct access” does NOT NECESSARILY mean physical access to the relevant servers on premises OR remote access to those servers via a dedicated connection to the Federal agency. That has been made clear. Such access can be via direct physical access by Federal agents on terminals supplied by the institution, access within the institution by Federal agents accessing subnetted servers (as opposed to primary servers) holding the desired information, or access via deep packet inspection via those companies’ Internet or telecom providers.
ALL of those means have been reported on in the past at one or more of the companies cited.
The statements by the Internet companies cited i the press were carefully crafted by lawyers to basically say nothing. The same is true of statements made by the government.
You don’t build a $1.5 billion data center in Utah and ANOTHER $850 million data center back east just to tap the phones of a few thousand “terrorists” overseas.
Most of America is not a computer nerd. Direct Access is a very misleading term. Glen Greenwald knows what words can do and he knew exactly what he was inciting.
An example is the above poster who thought they were actually logging into verizons servers lmao.
it has been made clear? where? the nsa does not have remote access to verizon. This isn’t CHINA.
please link some articles describing how the NSA has direct access to terminals at verizon. nonsense.
Next your gonna tell me china has no control of hong kong, they have freedom of speech and noone spies on the internet. Ya ok…..
You apparently have trouble using words or understanding them.
No where did I say that the NSA has direct terminals into Verizon.
I said that is one of the POSSIBILITIES for ANY of these companies.
Try to keep up.
lol. so now its just one of the possiblities. You think they are just gonna ruin verizon and googles bandwith like that? I really do believe they are only getting meta data, and it is coordinated on seperate channels.
But Well now you can see how misleading even your words can be. That is what one of the above posters actually believes…and sounded like what you believe too. That is what greenwald implied.
Greenwald knew exactly what he was saying to the public….
Could you please stop posting? you spew your opinions like they’re gospel truth and seemingly carry on conversations with nobody but yourself. do everyone and mr Krebs a favor and go away.
Ya np, this is the last blog post i comment on…
Haha, absolutely correct. Latest events and news coming from Hong Kong confirmed the Conspiracy Theory that Uncle Sam watches all of us, 24/7.
Too funny. I see this post right after a cousin messages me on fb saying his email got hacked lol.
Great Article though Mr. K. I know google uses cell phones to text account activation codes too now. They were the first. I also see some shady sites use this method also. Like the ones that promise you get to keep a free phone or laptop for testing it out. but want you to sign up for other promotions with your credit card. They also ask for the cell number to text to before you even get that far.
I think maybe all sites might do this just to change passwords in the future. I always say it should be mandatory for gaming sites to keep most undesirables out.
I just realized to on most email sites now even yahoo….its an option, i almost never put my cell number in though. But maybe i should before a hacker puts his in? lol
I mean apparently the professional hacker voksalna says cell phones can’t be spoofed. If thats true i don’t see a better way then.
Trying to troll me into responding by pointing out that you’re putting words into my mouth that I never said? Of course it’s possible.
Message for 12 June.
I’m not sure yahoo is even using it to text codes to though which is why i didn’t bother.
well, there’s ways around 2 step verification too, or have we forgotten about Eurograbber
and emails, oh well, if you ever lose anything you just call NSA to recover your lost emails.
what about texting codes to cell phones?
Would you please post or post the link to the recommended security procedures for banks. I would like to run it by my bank and cannot find the posting on your site.
You mean this?
Would you please repost or post the link for your article on security procedures for banks. I have been unable to retrieve it and wish to run it by my bank.
you can also test your banks website server security….at ssllabs.com If they are not rated A+ tell the bank.
but use the url of the site after you login, which is prolly diff.
My bank rates as “A”
I think to get it a+ has something to do with supporting older browsers are something. I forget. But if your browser is up to date it shouldn’t be a problem.
You could send the report to your bank anyways…it might become A+ 🙂
I’ve seen email , paypal and credit card dumps being stored on the same compromised virtual hosting account as phishing scams It always amazes me how people will just give up their information without looking to see if it’s the real legitimate site. If you are foolish enough to just give up your information without any thought of what you’re doing, then why should other people have any sympathy for you if your data gets resold on the black market.
Don’t get me wrong here, I would rather see internet users be protected but why should other people care, if you are ignorant about internet security and don’t properly protect your personal data at all times.
P.R.I.S.M Protect Responsibly your Internet Storage of Messages
To Mr John Senchak. I understand your frustration and I too used to believe it as well. But after reading Mr Rick Wash’s Folk Model theory I’m a changed person. You see average users have their own concept of computer security and for the most part it is distorted or doesn’t show the full picture. What needs to be understood is that regardless of what knowledgeable security people say, these people will follow their own model of computer security even if it is 99% wrong! (Even if some of their ideas are quite correct but their understanding is wrong)
The question is how do we change their folk models (if that is even possible) or at least formulate a solution that is both secure and conforms to these models?
We seem to think average users are stupid. But that is not necessarily correct, they have their own views about what they understand as security which is influenced a lot by the media, maybe we need to influence the media into explaining more to average folk than the usual ‘teen hacks blah blah blah’ story they love to talk about.
Source: (The Folk Models-Very interesting Read!)
So maybe like Hitler… You should mass exterminate all stupid people for a better race? Matter fact why give healthcare to unhealthy people, maybe we should just let them die. Its prolly their fault they don’t excercise.
Lets blame the user mentality….is barbaric. And it has to end.
PRISM, does not have direct access to googles or verizon terminals. I doubt they are logging in at will. Its prolly more like an ftp site they are uploading stuff to.
SHAME on the guardian for implying that.
show me an article in the past that says anything remotely similar. I don’t even think Verizon was fully cooperating with the government in 2006….when this story was first broke by USA today. But because hackers are such a problem now, I’m sure they are just sending everything over with no questions asked now.
The “bad guys” are the U. S. Government. I am more worried about the U. S. Government than any hackers at this point. The U.S. Government is the best example of a “crime shop”.
Maybe so, but keeping the government out of your communications may be a lot harder than simply securing your email from financially-motivated hackers.
I wonder how many people who are upset over the extent of the recent revelations of USG snooping are regular users of encryption. My guess would be very few.
I suspect that for the average person whose emails are basically pretty boring, they are more freaked out at the idea of everything they’ve ever written being saved, long after they have forgotten writing it.
And maybe years from now being asked things like, “Are you now, or have you ever been, a Tea Party member?”
If they’re only tracking the meta data then encryption doesn’t matter, you still need covert channels and other methods of obfuscation to hide who your talking to, when, from where, etc. (i.e. tor)
Thats like saying you are more afraid of SWAT teams breaking into your house than burglars. And while that may hold some truth it is no reason at all not to protect yourself against burglars.
The bad guys to me are anyone we consider bad guys in real life, the internet is just another world enviornment that is in barbarian times.
besides radical muslim terrorists…
what about corporations selling your info to ad agencies or other purposes, Email spammers/hijackers, vigilante hackers who are making sure your not a criminal, religious nuts making sure your not a pedophile or possessed by satan…lol. Hackers trying to rob you or steal your identity. Scumbags trying to ruin your pc for fun!(prolly sore loser gamers) drugdealers hiring hackers to make sure your not a cop or snitch. Sexual predators…..other countries like china, russia, pakistan, iran, spying on us for state reasons….etc…..
These countries actually read our emails more then the gov’t hahaha.
and if you think you have any tools to encrypt that the gov’t can’t crack your delusional. But protecting yourself from thieves or other spies is totally understandable.
Just corporations stealing corporate secrets could hurt our country in the long run. They shipping too many jobs overseas as it is.
That is because encryption is too confusing for the average person. I know more than one person who still cannot figure out how to setup their voice mail for their cell phone or how to retrieve their messages. How much would it cost to have an IT security technician setup ones computer, cell phone, etc, for secure communication to include encrypting files, setting up a VPN, router security, FreeBSD, etc?
That’s right. Encrypting email on one’s own end is useless if no one you email TO can support it.
Email encryption has never taken off and I don’t expect it ever will until it’s massively dumbed down and directly supported by all email platforms.
Unless it’s automatic and ubiquitous, it’s useless.
I’ll grant you that email encryption isn’t as easy as it should be (it’s not grandma or mom-friendly) but it’s not rocket surgery either.
I find that simply using stuff like OTR (off the record plugin) for online conversations (XMPP, Jabber, AIM, etc) does wonders for spreading the word about these protections.
OTR wow that brings back memories, i used to do that with pidgin years ago. and PGP encryption for when uploading files. I doubt most people would not bother though, and believe it or not most people dont’ care. They are more concerned about their credit card getting stolen.
I mean maybe this will stop the gov’t from randomly targeting you, which would be strange in the first place. But if you are already targeted by the NSA…I doubt any of this would be a hurdle for them.
I rest my case…
Guardian reporter delayed e-mailing NSA source because crypto is a pain
I remember sending you a GPG key and you emailed me plaintext. 😉 People take the easiest route by default, not the most secure — even when they know better.
Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?
The problem is that anything encrypted will make a person targeted by default. It’s another of the treacherous aspects of ‘if you have nothing to hide…’ — when it gets turned around it becomes ‘only someone with something to hide…’
The encryption keys stored on your computer are unsafe, too.
wow, but be careful when make this, your email may be used for hack http://www.sloupok.com/how-i-make-mass-mailing/
Wow this is news to me. Sweden and Britain have also been spying on emails since 2008…
heres a quote from General Alexander. “The great irony is we’re the only ones not spying on the American people,” he quipped.
almost 60% of the population is ok with these measures, even with all the media propaganda against it. Amazing. Probably because most American people have been victimized or have had a bad experiences online, or know someone who has.
I’m sure we all figured they were already spying on our emails anyways.
So i hope this traitor feels like an idiot for exposing something we’ve known about for 7 years. He should of known better and I find it very suspicious. I think like most hackers hes probably a little delusional, the way he embellishes. and I wonder if our enemies didn’t get to him to use as a propaganda tool.
Surprisingly enough it doesn’t appear that Mr. Snowden made a meaningless gesture.
In the past when issues such as these come to light they have, by the people I’ve known outside the security community, been disregarded as either conspiracy theory or responded to with “if you have nothing to hide …” rhetoric.
The recent interest in IRS email interception (something I would imagine most readers of security blogs weren’t surprised to hear about), especially since it served as a platform for criticizing the US Admin., was seemingly close-to-home enough for ‘mainstream media’ to champion instead of under-the-rug-sweeping the issue. Although, as you say, people may have known or heard whispers about these programs in the past, him whistle-blowing at this time has made an interesting and notable stir. It could also be affect in the proceedings concerning Mr. Manning, which will set precedent for how whistle-blowing is viewed by courts.
Why do you refer to him as a hacker, by the way? For being involved in infosec? Then I would imagine your broad judgement of the people in the profession extend those who design and operate the systems in question
This is complete BS. Snowden is clearly a patriotic American who understands the proper limits of government better than you rightwing fanatics do.
Not only does the government have no business doing this under the Constitution, it’s utterly ineffective as a means of combating terrorism as Bruce Schneier and many others have repeatedly pointed out.
I’m actually a Democrat. I have no problems with it. They have been doing it for 8 years. Since 9/11 i have not noticed any difference in anybodies life.
I’ve seen some people affected by it on the news, but nobody I didn’t think deserved it.
I find it baffling this kid thinks hes exposing something everybody has known for 7 years. Keeps mentioning its for the good of the public, But most of the public is ok with it?!?? BECAUSE NOONE DISREGARDED IT AS CONSPIRACY WE ALREADY ASSUMED IT WAS GOING ON!!!! we needed proof? are you being serious? you didn’t know the gov’t was reading peoples emails and collecting phone records? come on man.
Hes a contractor.. I don’t even know if I should consider him a Gov’t employee. I can’t believe they give them so much clearance. I think the problem is we are hurting for manpower. And this hacker mentality that hackers dont’ go after other hackers means they either become criminals or go to security firms…etc….noone goes for civil service. It probably pays less too.
I hope he doesn’t have ideas of working for China now haha. Even Julian Asange was baffled by that choice of countries.
I really do believe he fled the country for some other reason man and this is all just a cover. I just can’t figure it out it makes absolutely no sense to me at all. He exposed nothing, That should be obvious by now by Americas reaction.
and i hope hes just embellishing like most delusional hackers about knowing every single intelligence agent in the country, or being able to listen to any phone convo at the push of a button….lmao…. the kid is sketchy to me.
I find it interesting how this issue crosses political boundaries. I’m far right wing and I think he’s a hero.
Supporters of the spying should go read the writings of Thomas Jefferson as homework.
How would you know how Thomas Jefferson would react to this? These are diff times. They had spies back then too. And if you think this is tyranny and a reason for revolution. Why don’t you try living in China and Russia, the countries who are spying on you more then the US Gov’t, and then come back and tell me about how tyrannical our Gov’t is….
BK is a spy yet you read his blog? You support his blog dont’ you? your confused.
America needs more of a computer education, or to get informed, more experiences online, and then maybe they would just call it policing instead of spying…
actually most of America supports this already….
What exactly would someone do with a hacked United account? Book flights? Transfer out points? I can’t quite figure out the value in that one.
Me either… steal credit card information? Book flights with the credit card linked? I don’t know.
Beyond that, awards fraud is a big deal. But more on that in a future post 😉
Sure. I’ve written about services in the underground that are basically full-fledged travel agencies, only they book the hotel, car rental and yes even flights with stolen cards and then charge the buyer about 30 percent of the cost of the charge.
There isn’t just one of these shops: This is a fairly common service to find.
Brian, while I always understood the possible criminal lure of ‘carding flight tickets’ in the 1990s it seems a bizarre choice today unless people do not know they’re buying things charged on stolen credit cards; with everything the way it is at airports now, it would be hard to say which would be bigger obvious risk — arrested for assumed name, or arrested under own name for travelling with carded tickets.
I find this one of the more bizarre things that people will do. Don’t they get caught?
Miles seem more likely for ‘real goods’ to drop addresses — is this a reasonable assessment?
Carding in general is a fairly risky proposition. In this case, I’ve read a large number of the sales threads and almost everyone asks these very questions. Usually the responses come in from repeat customers who say they’ve never been stopped, or if they did get stopped would just play dumb and say they bought the tickets from a web-based travel agency. I recall reading a feedback from a repeat buyer who said that his return ticket was found out to be invalid but that the airline allowed him to continue by merely purchasing another ticket for that leg of the trip.
I wonder if the airlines keep notes on cards used and/or names previously caught for this. I could perhaps see somebody ‘getting away with’ this one time (and that seems to require very ‘steel balls’ to me), but surely repeats are noticed?
You forgot: Sometimes lots of logins for pr0n sites 😛
I feel bad for u hope u feel betta
Great article Brian.
I think this a great illustration of why people should take more care of their email accounts.
In fact, a technique I highly recommend is creating a separate email account that controls access to your critical online accounts AND is NOT used for anything else.
No personal emails, not subscriptions, nothing.
I have one of these accounts, and other then sending verifications for account creations — this email never has outgoing emails.
This email account require multi-factor auth AND I do not have access to it via any mobile device.
The thing is, this is much easier than it looks and I rarely get an email to that account. Phishing attacks have not happened yet and it keeps my critical accounts “safer” from attack.
Just something I have been using for a few years that others may find useful.
My brother suggested I might like this website.
He was entirely right. This put up truly made my
day. You cann’t believe simply how much time I had spent for this information! Thank you!
forgive me if it has been said, but one simple solution may be to pay for an email server (ie godaddy) and set up a catch all email account. then, when signing up for any service, forum etc use some firstname.lastname@example.org. All mail goes in, but should anyone attempt to hack that account they will find it does not exist.