Network News

X My Profile
View More Activity

Ransom-Mail: All Your E-Mails Are Belong to Us

Internet security company Websense has an interesting writeup about a unique form of cyber extortion that we can probably expect to see more of in the future, wherein attackers hold their victims' Web mail messages and contact lists for ransom.

Unlike previous extortion scams that scramble victims' data files and require payment for a key to unscramble them, this scheme involves the compromise of free Web-based e-mail accounts, Websense found.

"When end-users logged into their ... accounts (in this case Hotmail), they noticed that all their 'sent' and 'received' emails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back."

According to Websense, the threatening message left in the user's inbox reads (roughly translated from Spanish): "If you want to know where your contacts and your emails are then pay us or if you prefer to lose everything then don't write soon!"

This is not a terribly difficult attack to execute. If you are a bad guy in control of a network of hacked Windows machines infected with keystroke logging software that rips out user names and passwords stored in Internet Explorer, it would be trivial to conduct this attack on a large scale. Also, if you've ever seen one of these text files that store keylogger data from thousands of victims (I have seen several) you will quickly notice that far too many victims use the same password at multiple sites, meaning that even if the crooks don't already have a victim's Web mail login, there is a good chance they can guess it from the victim's other passwords.

The main problem I see with this attack is that it is far riskier than most cyber crimes, as the bad guys have to arrange to receive the money at some point. The crooks best positioned to execute this kind of fraud are likely to make more money selling bank account information or paying someone else to siphon funds using that stolen information.

By Brian Krebs  |  December 14, 2006; 7:38 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Tweaks Windows XP Wireless Security
Next: Coming in January: "Month of Apple Bugs"

Comments

With so much important data now online, attacks like this certainly seem destined to increase. An even worse case would be if someone's Google id and password got stolen. Not only would the bad guys have their emails, but also their adwords campaigns, online documents, spreadsheets, and maybe even their Google checkout account. That's probably worth quite a bit of money in many cases. This is a big part of why I wrote KeyScrambler ( http://www.qfxsoftware.com ) to help protect browsers specifically against keyloggers and why the free personal version protects all logins, not just financial sites. It's an extra layer of defense in addition to the usual anti-virus and anti-spyware apps.

Posted by: Qian Wang | December 14, 2006 10:24 PM | Report abuse

I should hope these wannabe's don't ask for more than a few bucks.

I'm sure some lame kids will try this, but come on, who really wants to save their sent and deleted items folders anyway? Lost contacts? You've probably got those written down, or can easily recover them.

Seems to me this is a great way for people get their junk mail and outdated contact lists cleaned up at no charge.

Change your email password and move on with life.

Posted by: Jon | December 16, 2006 12:50 PM | Report abuse

Jon,

Lots of people have multiple accounts tied to their free Webmail accounts: they register at Paypal or eBay or an airline or something like that, and if the bad guys have access to free Webmail accounts like that (which they do) they can easily lock victims out of accounts tied to that Webmail box, in addition to holding their e-mail hostage.

Posted by: Bk | December 16, 2006 7:04 PM | Report abuse

I haven't been a victim of cyber extortion (knock on wood), but it got me wondering... if you were to find yourself in this situation, then who would you turn to law-enforcement wise?

Posted by: John | December 19, 2006 11:25 AM | Report abuse

John> I haven't been a victim of cyber extortion (knock on wood), but it got me wondering... if you were to find yourself in this situation, then who would you turn to law-enforcement wise?

That's an interesting question. I would try FBI, but they're spread pretty thin. You could ask US-CERT for a referral.

Posted by: antibozo | December 19, 2006 12:02 PM | Report abuse

Dear Mr Wang,

You wouldn't have a Linux (Ubuntu) version of your free KeyScrambler up your sleeve, just in case some wise guy decided to pick on us non-Windows, non-Mac types, as well ?...

Henri

Posted by: M Henri Day | December 19, 2006 2:26 PM | Report abuse

Is there safe box for information in the world? We pay the bank to safeguard our valuable objects and money but while we all know information may be more valuable in many situations than money, why no information bank exists to help us the same? It may be an idea for business but make sure you have sufficient insurance coverage if you want to take the adventure.

Posted by: BaPu | December 19, 2006 9:05 PM | Report abuse

BaPu> We pay the bank to safeguard our valuable objects and money but while we all know information may be more valuable in many situations than money, why no information bank exists to help us the same?

Because information is freely copiable, unlike currency or objects of value.

Take a look at the CopyBot controversy in SecondLife if you're interested in this subject. Here's a starting point:

http://www.freedom-to-tinker.com/?p=1088

Posted by: antibozo | December 20, 2006 12:02 AM | Report abuse

I have been using Roboform on the Windows boxes, I do not know of a solution as of now for Linux. The neat thing with Robo is that you can generate your own passwords very easily.

Posted by: DOUGman | December 20, 2006 10:12 PM | Report abuse

"I'm sure some lame kids will try this, but come on, who really wants to save their sent and deleted items folders anyway?" Signed, "Clueless in Left Field"

Posted by: cc | December 21, 2006 3:37 PM | Report abuse

I think you've hit the nail on the head with the de-facto single password situation. So many people are guilty of using one username and one password for pretty much all of their accounts.
Default passwords not being reset are another problem.
Both of these problems are end-user related, but they also problems that can be easily enforced by using two factor authentication, and policies on passwords.
Paul Misner
www.smartchive.com
paul@paulmisner.com

Posted by: Paul Misner | December 27, 2006 5:12 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company