Many of us have had the experience of receiving a spammy email from a friend or loved one, only to have a frantic follow-up note arrive a few minutes later from that person stating that his or her email account was hacked and warning us not to open or respond to any of the messages sent by the intruder. To be sure, this is an alarming situation for many users. But the scarier truth is that if your inbox (or your phone, tablet, Twitter or Instagram account, anything really) gets hijacked by modern cyberthieves, spewing spam is about the most innocuous thing that can happen to it.
The following post is an excerpt from Spam Nation: The Inside Story of Organized Cybercrime by Brian Krebs.
The true value of your email account to crooks is not merely in its ability to pump spam or even forward malicious software and viruses to your entire contact list. Depending on what you do with your account and how long you've had it, your inbox could be worth far more than you imagine.
For example, sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts — merely by requesting a password reset email. Got your retirement fund, bank account, or insurance plan tied to that inbox? An attacker in control of your email account — either via phishing you or installing malware on your system — can simply visit the websites that manage those accounts, request a password reset, click a link in an email, and change your passwords (and they will start with your email password)!
Even if the person who hijacks your inbox doesn't have the time or inclination to seize control over all of your associated accounts, he likely knows that those accounts have a resale value in the cybercrime underground. How much are these associated accounts worth? There isn't exactly a central exchange for hacked accounts in the underground, but recent price lists posted by several ne'er-do-wells who traffic in non-financial compromised accounts offer some insights.
Several bad guys in the underground will sell purloined usernames and passwords for working accounts at overstock.com, dell.com, and walmart.com, all for two dollars each, for example. Other sellers peddle accounts at fedex.com and ups.com for five dollars a pop, and Apple iTunes accounts starting at eight dollars. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.
Some crime shops go even lower with their prices for hacked accounts, charging as little as three dollars for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few. This may sound like peanuts and hardly worth the bother, but remember that the bad guys engaged in this activity very often run large botnets, meaning they can gather this information from hundreds or thousands of hacked computers simultaneously.
Even if your email isn't tied to online merchants, it is probably connected to other accounts you care about. Hacked email accounts are not only used to blast junk messages. They are harvested for the email addresses of your contacts, who can then be inundated with malware, spam, and phishing attacks. Those same contacts may even receive a message claiming you are stranded and penniless in some foreign country, and asking them to wire money somewhere. Trust me, countless people actually follow through on these fake pleas for help and wire money straight into the pockets of these cyberthieves.
If you've purchased software, it's likely that the licence keys to those software titles are stored somewhere in your email messages. Do you use online or "cloud" file storage services like Dropbox, Google Drive, or Microsoft SkyDrive to back up or store your pictures, files, and music? The key to unlocking access to those files also lies in your inbox.
And worst of all, if your webmail account gets hacked and was used as the backup account to receive password reset emails for one of your other accounts, guess what? Attackers can now seize both accounts.
Hopefully, it's clear by now that keeping thieves out of your inbox is worth making the effort to take a few precautions. Fortunately, some simple tips and actions can help you maintain control over your email account — as well as lock down the system you use to access that account.
Until recently, some of the web's largest providers of online services offered little security beyond requiring you to enter a username and password. Increasingly, however, the larger providers have moved to enabling multifactor authentication to help users avoid account compromises. Gmail.com, Hotmail/Live.com, and Yahoo.com all now offer multistep authentication that users can and should use to further secure their accounts. These typically involve the sending of a numeric code via text message or smartphone app that needs to be entered along with your username and password. The code is sent and requested any time a suspicious login is detected — such as a login attempt from a computer or Internet address not normally associated with your account.
Dropbox, Facebook, and Twitter offer additional account security options beyond merely encouraging users to pick strong passwords. To check if your email or social network or other communications provider allows you to supplement your account security with two-factor authentication, check out the website twofactorauth.org. If your provider is listed with a check mark, click the icon under the "Docs" column next to that provider for a link to instructions on how to configure and enable this feature.
For tips on how to better protect your inbox and improve your cybersecurity, read the rest of Spam Nation by Brian Krebs or check out the author's blog, Krebs on Security. Or check out Gizmodo's posts on how to enable to two-factor authentication on all your accounts and how to encrypt everything.
Picture: Michael Hession