There are many, many ways one can be hacked through an email. One of the most common examples is Phishing, which has 80-90% chances of data breaches. However, Cross-site Scripting (XSS), Launching Malware, payment to hackers to get email passwords, and Email Bombing are also well-known email hacks. We will be going in-depth of every possible means of email hack like Rogue Recovery, Password Hash Attacks, Web Tracking, Clickjacking, Password Sprays, etc. as well as provide some of the possible defenses against the attacks.
Heard of Password Spraying Attack!
It’s a type of Brute-Force attack where an attacker attempts to access a large number of accounts. This technique usually allows the attacker to remain undetectable as well as keeps away from the account lock-up. So, for gathering information about the objective and track people, company data, IPs, domains, servers, hackers may use Open Source Intelligence (OSINT) tools like OSINT Framework, Censys, Creepy, FOCA, etc. After getting emails, they target unprotected online portal to guess the password using password cracking tools. Hence, the defense is to change windows administrator account, use strong entropy passwords, enable account lockout, use VPN for the online portal, enable MFA, and many more.
Dust in Your Touch Screen? Be Wary of Clickjacking
Clickjacking is a scammers/ phishers/attacker’s malicious technique of tricking a user to click on something different from what the user perceives like having dots, hairs, dusts on the screen. Basically, in the touch screen system, the victim seems to fall in the pit of activating and revealing sensitive info or giving authorities, when trying to clear the screen. Therefore, it can be eliminated by educating people more about this new technique and always be wary about touch screen new attack.
Unbelievable Stealing of Password Hash
Usually, passwords/credentials are stored as hashes than in plain text. In windows, the passwords are encrypted via LM or LANMAN hash, NT or NTLM, SAM database file. In Linux/Unix system, it would be MD5, Blowfish, SHA1(old/ weak), SHA2, or SHA 256. Usually, an attacker tries to get the password hashes by using some password cracking tools like Aircrack-ng, CrackStation, John The Ripper or simply using Brute Force, Rainbow Crack. Hackers can still get the hashes even if the enterprises have Citrix/VPN or Multi Factor Authentication enabled.
The hacker has the responder tool like LLMNR and NBT-NS installed in his machine. So, when a user/victim, clicks the link, it will point to an object on the Responder server. The email tries to retrieve the object and then the responder tool captures the response as a hash. Hacker, then, cracks the hash and get the plain text password.
So, Can We Stop Password Hash Theft?
Firstly, one must always take a close look at the email even before opening it. Secondly, the firewall rules of the company should monitor/ filter and hence block the egress traffic. Filtering out inbound file://// links can greatly help password hash theft. Port blocking the enabled perimeter on the host firewall and outbound authentication perimeter on port UDP 137 & 138, TCP 139 and 445. Also, implement a strong password that can withstand password cracking attempts.
Don’t Fall into Rogue Recovery Strategy!
We all know that in case we are not able to login to our email provider has the system of a “recovery” method used as an alternative login like PIN codes, password reset questions, alternate email address. Therefore, these recovery methods are not always secure, and hackers make us fool by sending emails into recovery mode and use it to compromise our system.
One can be protected by avoiding alternate email-based and SMS-based recovery methods, being cautious when using phone numbers as a recovery account method, be wary of rogue recovery texts/messages etc.
Allari implements customized service plans for IT Operations & Cyber-security which allow you to complete a higher volume of planned work, gain the capacity to innovate and help your business to win.
Subscribe to the best newsletter there is.
You won't regret it!