For attackers looking to take control of a victim’s online presence, there is no better place to start than the target’s email account. If you own the email, you own the person. That’s never been more true than today, with so many social networks, services and shopping sites attached to users’ email addresses. New research done by Lucas Lundgren of IOActive shows just how simple it can be to get control of a target’s email account, and from there, everything else.
For many people, their personal email account is where they store their lives. Bank statements, bills, personal correspondence, work files, anything you can get in electronic form can often be found in a given target’s email inbox. And a large number of email systems protect users’ inboxes with nothing more complicated than a simple password. Gmail is one notable exception, with its two-factor authentication option that enables users to employ a mobile app to generate one-time codes that they use in addition to their passwords. But, that’s an option and not mandatory, and for many users just looks like an annoyance on the way to getting their email.
Knowing all of this, and knowing a lot more about security than most people do, Lundgren decided to run a little research project to see how easily he could get into some volunteers’ email accounts. Targeting friends and family members who had agreed to the experiment, Lundgren found that with just the data he gathered online from Facebook and other sites, he had little trouble getting into the inboxes. The best mechanism, in most cases, was the password-reset function on various sites and email services.
Lundrgen’s first target was a friend who uses Gmail. While trying a password reset on the account, Lundgren found that his friend also had an old Hotmail account, but he didn’t know the address. So he checked the target’s Facebook page, with no luck. Next, he looked through the friends listed on his target’s profile page and found one who was sharing a picture of her and the target from high school. Using the same photo she had on her real page, Lundrgen made a fake Facebook profile for her and then sent a friend request to his target. The request was accepted quickly, which then gave Lundgren the ability to view his target’s email address, which had been private.
He then executed the password reset on the target’s Hotmail account, but was prompted to answer the security question, which was the target’s mother’s maiden name. A quick check of the target’s Facebook profile gave him that information and Lundgren was able to reset the password for the Hotmail account. From there, it was on to the real goal, his Gmail account. A password-reset request for the Gmail account generated an email that was sent to the compromised Hotmail account, giving Cerrudo the ability to change the Gmail password and take over the account.
“Now for the gold: his Facebook. Using the same method there, I gained access to his Facebook; he had Flickr as well…set to login with Facebook. How convenient. I now own his whole online “life”.. There’s an account at an online electronics store; nice, and it’s been approved for credit,” Lundgren wrote.
These attacks don’t require any real technical knowledge, just an understanding of the way that Web sites handle user password-reset requests and the patience to comb through a target’s online life to find the right bits of data. Too many people rely on the Web sites they visit to protect them, a serious mistake, Lundgren said.
“Most major sites are protected with advanced security appliances and several audits are done before a site is approved for deployment, which makes it more difficult for an attacker to find vulnerabilities using direct attacks aimed at the provided service. On the other hand, a lot of companies forget to train their support personnel and that leaves small gaps. As does their way of handling password restoration. All these little breadcrumbs make a bun in the end, especially when combined with information collected from other vendors and their services—primarily because there’s no global standard for password retrieval. Nor what should, and should not be disclosed over the phone,” Lundgren wrote.
“You can’t rely on the vendor to protect you—YOU need to take precautions yourself. Like destroying physical papers, emails, and vital information. Print out the information and then destroy the email. Make sure you empty the email’s trashcan feature (if your client offers one) before you log out. Then file the printout and put it in your home safety box. Make sure that you minimize your mistakes and the information available about you online. That way, if something should happen with your service provider, at least you know you did all you could. And you have minimized the details an attacker might get.”
Some of the details might seem mundane, but for attackers, they’re the keys to success.
This article was updated on August 21 to correct the name of the researcher who performed the research.