The last couple of days have seen some major concerns raised over email account security and how secure that makes your domain portfolio. If like many domainers you own domain names to the value of thousands of dollars, you ought to be concerned about your assets’ security.
In this post I will try to reflect on some methods hackers use to get a hold of email accounts and subsequently get access to registrar accounts and valuable domain names. Even though some of you may think that I am not helping anyone by revealing these methods I believe that by discussing these issues we domainers stand a better chance of fighting hijackers and crooks on a more level playing field.
Losing email accounts to email account hijacking is not limited to just domainers, it happens to people on a regularly. Sarah Palin’s recent troubles simply highlighted an every day occurrence mostly caused by email account owner carelessness – sorry Mrs Palin, but it’s true.
So, how do email accounts get hacked? What methods do hackers use? And what methods do they not use?
Fake Provider Back-end
If you Google “how to hack an email account” you might run into a website claiming they have a foolproof method to get into any Yahoo, AOL, Google, Hotmail etc account. The method is based around a claim that if you send an email to let’s say SOMESUPPOSEDACCOUNT@yahoo.com (or other mail provider of choice) with certain parameters (including your username and password) and a small piece of javascript code, the mail account will return any wanted email account password. The website claims that this is an automated back-end feature of said mail provider.
What in fact happens is that SOMESUPPOSEDACCOUNT@yahoo.com collects the information you send them (including your account username and password) and uses those to gain access to YOUR email account.
I guess this method works mainly with people curious about hacking their friends’ / family members’ / lovers’ mail accounts without having a clue about how things really work on the web.
Brute force
Enticing as it may seem when we watch it in movies, brute force is not a realistic method to get access to email accounts. It would take thousands of years for a super computer to brute force it’s way into a mail account with a computer program trying different permutations of characters to guess the password – so this method is discounted.
Trojan’s and Key Loggers
Trojan’s and key loggers are definitely a security concern and can lead to hackers gaining access to your email account.
Trojans are installed in addition to some other software you download and execute from the web. Upon installation Trojans act as a back door to send sensitive information back to the creator of the Trojan (hence the reference to the Greek legend of Troy).
People usually fall victim to key loggers when using public access web service providers like internet cafes and library computers. Key loggers are programs or hardware that log any keyboard activity in a log file to be read later.
Phishing
Any decent programmer can easily create a program or website feature to act and look like any other program we know today. You may have seen fake Msn popup boxes appearing on various sites in recent times impersonating the real thing and allowing you to “login” to your Msn account. The recent WordPress.org impersonation also brought this issue to our attention in spectacular fashion as did the recent eNom phishing emails.
Social Engineering
Social engineering is antother very common way hackers gain access to people’s mail and registrar accounts. Wikipedia defines social engineering as “the art of manipulating people into performing actions or divulging confidential information.”
How does social engineering work? It’s pretty simple actually. Hackers call the account owner and impersonate a service provider staff member. While discussing their account (mail, registrar, hosting or whatever) they manipulate the account owner into disclosing their account username and password.
Account Owner Carelessness
The story behind the above mentioned Palin account hijacking describes in detail how her account was hacked directly as a result of her carelessness and naivety. Mrs Palin used publicly known information for her security questions which allowed the assailant to easily research the information necessary to unlock her account.
So, what can you do to secure your mail account and all your valuable information and assets? Here are some points you should consider when deciding whether your web security procedures and practices are up to scratch.
1. Mail providers DO NOT provide back-end features that allow you to get access to people’s email accounts! (I won’t even go into why attempting to gain access to someone’s accounts is wrong – I’ll leave that to your conscience.)
2. Protect yourself from Trojans and spyware by using antivirus and antispyware software, a firewall and refraining from installing programs from non-trusted sources.
3. You should be careful about where you log into your accounts from and consider whether the computers you use are safe and key logger free.
4. When accessing your mail / blog / hosting / registrar / other account, make sure you type the url yourself rather than follow any links you may receive through your email or follow through a website. Be careful not to misspell your provider’s url to further help avoid falling victim to phishing scams.
5. Service providers will never call you to ask for your password. They have direct access to all your information in their database and if need be they can access it directly themselves. Someone asking for your password over the phone is a strong indicator they are attempting to manipulate their way to your account details.
6. Choose your account security questions carefully. Do not use information commonly know to your friends and acquaintances or commonly available on the web as it may be used to gain access to your account as described above.
And finally, even if you fall victim to hackers who gain access to your email accounts you can make sure that you do not lose your domain names by using features like the Moniker MaxLock or something similar from other registrars if it becomes available.
If you enjoyed this article download my free ebook – the Domaining Manifesto – from www.domainingrevolution.com for further insight into managing and making money from your domain names.
Hi John,
Just a quick correction: Brute force attacks are often extremely successful and don’t require a great deal of computer to run as “dictionary attacks”. You’d be surprised how many people think having a password like their favorite sport or food is actually a safe password
Thanks – very helpful!
Pingback: Hackers Hijacked CheckFree.com | Domain Name News | Domain News | Expired Domains
The phishing technique can be pretty hard to detect. I have to admit I have ‘almost’ fallen for a couple of them. But thankfully I made it a habit, a long time ago, to always go directly to the site to login and never use the links included in the emails. I still check the status bar to see if the link ‘looks’ legit but regardless always go login at the homepage of the site then navigate to whatever issue the email mentions to take care of it.
I caught my wife falling for an amazon phish right after she entered her complete information (credit card update to “save” her account from deletion lol). So she was able to call up and cancel things before she had any charges or anything but I was surprised she fell for it since I consider her pretty web savvy. But all it takes is spacing out a bit and assuming everything that comes to your email box is legit.
In my opinion, phishing is one of the most dangerous ways of hacking, because it can reach and fool so many people and disguise itself as the genuine thing. Even tech-savvy people can fall victim of such attacks.
BTW, I am running a contest at my web site – you can win a SuperAntispyware Professional license. All you have to do is leave a comment. Protect your PC from intrusions and spyware!