The State of Hacked Accounts www.cyberoam.com
Securing You www.cyberoam.com
The State of Hacked Accounts - October 2011
Overview The use of compromised (e.g. stolen credentials or hacked) accounts to send spam and scams has increased throughout 2011 to become a growing percentage of the unwanted email that is being sent by spammers. Commtouch tracks spam, malware and Internet threats through the billions of Internet transactions it sees daily in its cloud‐based GlobalView Network. Earlier this year, Commtouch Labs identified the trend of the increasing use of compromised accounts to send spam and malicious email messages; as a complement to the data gleaned from Commtouch’s bird’s eye view of global email traffic, the following end‐user research was compiled, in order to explore issues related to the theft, usage and recovery of these compromised accounts. This document reviews the survey and its results, shares some data from the GlobalView Network, and includes tips for users to prevent their accounts from being hacked or compromised.
Introduction The Changing Spam Landscape In March 2011, the Rustock botnet, which was responsible for over 30% of global spam, was taken down by a Microsoft‐led consortium. In the past, botnet takedowns have resulted in temporary drops in spam levels followed by sustained increases, as spammers created new botnets and resumed their mass mailings. The months following the takedown have not exhibited this pattern however, with spam levels dropping to their lowest levels in several years. This sustained drop indicates that spammers are rethinking the use of large botnets for spam and scam emails as these become less profitable. There are two main reasons for the drop in profitability:
1. Botnets can be taken down (and other high‐profile botnets aside from Rustock have been), instantly destroying vast amounts of spam‐sending infrastructure.
2. IP reputation based anti‐spam has become very effective at blocking spam originating from botnets with typical success rates of 85‐95%
The first issue can be partially sidestepped by running many small botnets. This does not however resolve the second issue – how to bypass IP reputation systems.
The State of Hacked Accounts www.cyberoam.com
Securing You www.cyberoam.com
Spammers Switch Tactics
In order to bypass the issues with sending spam from botnets, spammers are increasingly moving their traffic from botnets to compromised email accounts wherever possible. The blocking of spam from compromised accounts is more difficult for many anti‐spam technologies, since these accounts exist within whitelisted IP address ranges (such as Hotmail or Gmail), thereby neutralizing the effect of any solution based on IP address blocking (aka “IP Reputation”). Naturally spammers can set up their own accounts rather than compromising others, but email providers obstruct this phenomenon to the best of their ability.
The other advantage of a compromised account is that recipients are often more trusting of the information since it comes from a known source.
Compromised accounts do, however, present two main disadvantages for spammers:
3. They can only be used for relatively small spam runs of a few hundred or thousand messages without being detected by the provider. This does partially account for the reduced spam levels.
4. The accounts need to be compromised/hacked/stolen first.
The new spammer tactic therefore favors compromised accounts delivering smaller volumes of spam – with a better delivery rate.
Increased Use Of Compromised Accounts The increased preference for compromised accounts is illustrated by the graph below which compares the percentage of spam received over sample periods in Q2 and Q3 2011, where the “from” field includes “Gmail”or “Hotmail.”
Based on the IP address, received spam could either be:
• Sent from a zombie with a phony Gmail or Hotmail address in the from field • Or, sent from a compromised or spammer account at Gmail or Hotmail
The collected data shows compromised accounts growing in Q3 for both Hotmail and Gmail. Between 28‐35% of the spam purportedly from Hotmail comes from real Hotmail accounts that have been compromised or set up by spammers. Gmail spam, on the other hand, is mostly (96‐97%) from zombies that simply forge Gmail addresses.
Q2 and Q32011 analysis
of spam“from” Gmailand Hotmail
The State of H
Securing Y
SurveyThe increase
• What ac• How are• Are the • How do• How do
To better Commtouch hacked or cFacebook, an
Which acParticipants wlarge Webmrange of 15 tthe value of specific domsimilar value“other” were
How wasThe majoritycompromisebehavior wit
It is not alwasteps doesn’phished or his quite likelyrecalled havi
Which accomprom
• Gmail• Yahoo• Hotm• Faceb• Other
Hacked Accou
You
ying comd use of com
ccounts are tae the accountaccounts use
o users figure o users regain
understand initiated a p
credentials stnd the Comm
ccounts wwere asked wail providers to 27 % of tha compromis
main of the ae since it is fre users of AO
s the accoy of survey red, indicatinghout realizing
ays easy to fig’t always head been victiy that many ong used a pu
ccount wamised?
o ail book r
nts
mpromipromised acc
argeted? ts compromised for other pout that thei control of th
these issueublic survey otolen. The sutouch Blog.
were targwhich of their(Gmail, Yahoe attention frsed account address. Froom a well‐knL, Comcast an
ount comspondents – g that manyg it.
gure out how lp. None ofms of a driveof the victimsblic Internet t
as
sed acccounts raises
sed? purposes besir account is cheir accounts?
es,during Sepof email userurvey was pu
geted r account(s) woo, Hotmail arom cybercrimis in the “cleom this pointnown domainnd several oth
mpromise62% – were ny people typ
an account gf the respone‐by downloads simply used terminal or p
countsseveral quest
ides spam andcompromised?
ptember anrs who have ublicized on
were compromand Faceboominals. This an” IP addrest of view, aln. Among thoher providers
ed
not sure howpically engag
gets compromdents believed (by followineasy‐to‐gues
public WiFi pr
tions:
d scams? d?
d October had their accLinkedIn, Tw
mised. Each k) attracted demonstratess, rather thal accounts hse who respos.
w their accounge in risky o
mised and reted they had ng a phony linss passwordsior to the hac
2011, counts witter,
of the in the es that an the have a onded
nt was online
racing been
nk). It . 15% ck.
www.cyber
www.cybe
roam.com
eroam.com
The State of H
Securing Y
What waThe value ofIP address, acomes with aa friend or compromiseout spam. “friend stuckblatantly element. these types a
Of the 23% onot know hoaccount hadbe assumed for a mix of s
How was
• I used acafe)
• I openean ema
• I clickedemail fpackage
• I respopasswo
• I clicked• Not sur• Other
What was
• Used to• Used to
was “st• Used to
Facebo• Not sur• Other
Hacked Accou
You
as done wf a stolen accand in additioa message sinacquaintancd accounts –The second k overseas” exploits thExamples ofare provided
of respondenow their comd been abusethat these w
spam and sca
your acco
a public comp
ed a file that ail attachmend on a link infrom UPS oe for you) nded to a reord (someoned on a link I rere
s done wit
o send spam po ask my frientuck in a foreio send a phook account re ‐ I was just
nts
with the scount is twofoon there is ance it is (in moce. It is no– 54% – are most commscam that he trust f both of here.
ts that did mpromised ed, it may were used ms.
ount compr
puter or WiFi
might have t that seemedn an email thor DHL with
quest to prove phished youeceived from
th the stole
promoting a pnds to send mign country” ny message/
told it was co
stolen accold – it provian element oost cases) recot surprising therefore us
mon type at
romised?
network (e.g
contained a vd legitimate)hat was phoninformation
vide my userur details) a friend in Fa
en accoun
product me money sin
/wall post on
ompromised
counts des a clean f trust that ceived from that most
sed to send 12% is the
g.: Internet
virus (e.g.:
ny (e.g.: an n about a
rname and
acebook
t?
ce I
my
www.cyber
www.cybe
roam.com
eroam.com
The State of H
Securing Y
How wercompromIn 54% of thetheir friendsown friends assume thathacks and otnotice strangindicate thatboth far beh
What actrecover tThe moderncontrol of awithjust a pameasure – aanything to rof those who
How were
• Friends• Receive
suggest• I notice• Other
What acti
• Change• Ran a v• Both of• Nothing• Other
Hacked Accou
You
re the accmise e cases, the c; it seems no(who also re
t Gmail, Yahother bad stuffge activity in t “received anind the rapid
tion did atheir accon equivalent n email accoassword chanan additionaremediate theo responded “
e you mad
s told me afteed an officiating I change ed strange act
ion did you
ed my passwovirus check f the above g ‐ it happene
nts
count ow
compromisedo one is as goeceive the spoo, Hotmail f. Or alternatheir accountn official emaalert service
account oounts of “changingount. Most ge and some al 23%. A seir account, a“other” had b
de aware o
er receiving a al email frommy passwordtivity
u take to r
ord
ed once and s
wners ma
account ownood at pointipam and oveand Facebootively, some t as soon as iail” (15%) andknown as go
owners ta
g the locks” users – 42% of these addsurprising 23and believed broached the
of the com
strange emaim Gmail, Yad
recover the
seems to be O
de aware
ners learned oing out peoperseas scamsok are keepinusers might tit happens. Td “I noticed itod friends.
ake to
seems to be% – seemed tded in an antiv% of responthis was a onissue with th
promise?
il or messageahoo, Facebo
e account?
OK now
e of the
of the breachle’s errors as). Users prong an eye othink that theThe results tht myself” (31%
e key to regto solve the virus scan forndents did nne off event. heir email pro
e ook
?
h from s their obably ut for ey will hough, %) are
aining issue
r good ot do Some
ovider.
www.cyber
www.cybe
roam.com
eroam.com
The State of Hacked Accounts www.cyberoam.com
Securing You www.cyberoam.com
Preventing compromised accounts As shown in the survey data, most users could not pinpoint the origin of the compromise. The following hints would probably have prevented many of the stolen accounts that were surveyed:
• Use passwords that are difficult to guess – no keyboard sequences (qwerty, 1234qwer, etc.), no birthdates, no common names. Mix numbers and capital letters.
• Use different passwords for different sites. If your Gmail is compromised then at least your Facebook or other accounts will be secure.
• Consider using a password manager that stores all you passwords, generates new ones, and syncs them between your different PCs, laptops, and tablets. Keep your master password complex and safe. We recommend thinking of a sentence that you will easily remember, and then taking the first letter of each word, and substituting numerals for certain letters. For example, if your easily remembered sentence is “roses are my wife Dierdre’s favorite flowers,” your password would start out as “ramwDff”, then you could switch certain letters with numbers, such as 4 for the letter A, 3 for the letter E, and so forth. This generates a random string that will be very difficult for anyone to guess, but fairly easy for you to remember.
• Think carefully before using a public Internet terminal – consider whether you really need to use these at all. If you do use one then remember to uncheck the “remember me” box when you log into your email or Facebook. Also – don’t forget to log out and close the browser window when you are finished.
• Don’t open email attachments or click on links in emails you weren’t expecting – like UPS delivery notices, invoices from online stores, hotel bill corrections, credit card error letters, etc. Treat all unexpected attachments as malware even if they appear to be “only” PDF, or Word, or Excel. There are common ways for a malware distributor to hide an executable virus inside what appears to be a PDF or Word document.
• Don’t follow links in Facebook that accompany some hysterical or generic text such as “check this out!!!!!”, or “Thought you might like this!!” Avoid Facebook links that promise some current event “scoop” such as “Amy Winehouse pictures!”, or “Osama bin Laden death video!”.
• To date, there is no Facebook application that allows you to see who has been viewing your page – never follow any link that promises this functionality.
• Never respond to a request for your password – no matter how official or urgent the email looks.
• If your email provider offers single‐use passwords (for example as Gmail does), implement it. In the case of Gmail, you can either download an application to your mobile phone that generates a single‐use password (a string of random numbers that changes every few seconds), or Google will SMS your phone with the password. In this way, if someone is determined to hack into your account, they will need to have access to your mobile phone as well.
Finally, be sure to set up a secondary email or phone contact for your Webmail accounts – this can be used to help you recover a compromised account.
The State of H
Securing Y
ConcluLegitimate uspammers aincrease andthese in pub
About Cyberoam, secorporate endManagement iView‐logging
Cyberoam is autilizes the encontrols over distinguished
With over 25,around the wothe “Visionariplayer’s long‐t
About Commtouch® based InterneGlobalView™ organizations
Visit us: www.commEmail us: info@comCall us: 650 864 200 Copyright© 2011 CoCommtouch is a reg
Hacked Accou
You
sions user Webmand scammersd users shoulic domains a
Cyberocures organizadpoints throug(UTM) appliaand reporting,
a pioneer in tnd user’s idenonline activitieitself as a one‐
000 deploymeorld, as noted es” quadrant. term presence
Commt(NASDAQ: CTet security seNetwork powand hundreds
mtouch.com and blogmtouch.com 0 (US) or +972 9 863
ommtouch Software istered trademark, o
nts
ail and Faces. The use ould therefores well as obse
oam ations of all sizh its wide rangance, Cyberoam, Cyberoam SS
he firewall‐UTntity as the maes in the netw‐stop, holistic s
ents across 110recently in anaCyberoam’s g
e in developed
touch TCH) safeguardervices. A clowers Web secof millions of
g.commtouch.com
3 6888 (International
Ltd. Recurrent Patteof Commtouch Softw
ebook accouof these for s take basic erving sound
zes from SOHOge of solution m Central ConL VPN and Cyb
TM industry wain security pa
work. By bringinsecurity solutio
0+ countries, Calyst Gartner’slobal channel and developed
ds the world’soud‐security pcurity, messagusers worldwid
)
ern Detection, RPD, Zware Ltd. U.S. Patent N
nts are a vspam and scaprecautions password ma
O, SMEs and laofferings that nsole (CCC) foberoam Endpoi
ith its identityarameter, allong several addons vendor
Cyberoam has s 2010 Magic Qstrength of 50d countries.
s leading secupioneer, Commging security ade.
Zero‐Hour and GlobaNo. 6,330,590 is own
valuable prizams is expectwhen they aanagement.
rge enterpriseinclude: Cyberor distributed int Data Protec
y‐based Layer owing IT manaitional solution
established itQuadrant for U000+ partners f
rity companiemtouch’s realand antivirus
lView are trademarkned by Commtouch.
ze for ted to access
es at the networoam’s identityenterprises action.
8 threat managers to gain cns under its po
self among theTM where it scforms a strong
s and service l‐time threat solutions, pro
ks, and
www.cyber
www.cybe
ork gateway asy‐based Unifieand MSSPs, Cy
agement conccomplete visibortfolio, Cyber
e leading UTMcaled up its rang basis for the
providers witintelligence f
otecting thous
roam.com
eroam.com
s well as d Threat yberoam
cept that ility and oam has
M players nkings in security
h cloud‐from its sands of