Avatar of MJCS
MJCS
Flag for Canada asked on

How did client's e-mail password compromised?


One of my clients had a bit of a nightmare recently. He lost access to his facebook account, re-attained access and then promptly lost it again. The perp posted on his wall, added his own e-mail account and then removed the clients. He posted his e-mail password on his facebook wall.

I'm trying to ascertain what a plausible explanation is for how the client's e-mail password was compromised.

Antivirus was out of date by 5 months
Java was about 4-6 revisions behind what's current
Flash was probably 3-4 revisions behind
3 adhoc networks had been connected to in the past
E-Mail was in Outlook
Has a blackberry

I scanned the computer using malwarebytes. Then I removed the hdd and scanned with Kaspersky, then Avast, then Avira. Malwarebytes found some infection fragments. The other three found bits and pieces of java related exploits and trojans. However, no specific keyloggers were found.

I have been trying to ascertain whether the e-mail password was compromised through the adhoc networks, through the blackberry, through infection, or through physical access to the computer?
Anti-Virus AppsSecurityDigital Forensics

Avatar of undefined
Last Comment
MJCS

8/22/2022 - Mon
Dave Baldwin

You forgot guessing and looking over his shoulder.  Since the perp is taking personal and not necessarily financial actions, it's probably someone who knows him.  'Professional' thieves would more likely prefer that he didn't know he was compromised.
Rartemass

If the password was simple then it could have been guessed. This also points to someone he knows.
This is why its important to never use birthdays, pet names, kids names, street names, favourite characters and movies etc.
Also does he write the passwords down and "hide" them at his desk? Many people put a post it note under their keyboard with their passwords and think its secure.
younghv

"...or through physical access to the computer?" = or they got their hands on his BlackBerry for a couple of minutes.

People get way too casual about protecting access to their hand helds - and yet they will store information in them that is every bit as critical as what they have on their PC's.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
MJCS

ASKER
how easy is it to pull password info out of a blackberry? I know it is really easy to pull it out of a laptop. There are numerous utilities that could be downloaded and run directly or off of a usb stick.
younghv

Very easy.
Just Google "lost blackberry password" and see all the ways you can do it.
MJCS

ASKER
DO you have any specific links? When I ran that search, general consensus seemed to be that you can reset your blackberry password but not retrieve it...
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
btan

probably the simple password would be one but it can be easily siphoned as well. Check out this link and mostly the phishing attack would social engineered the user in form of email with link to their phished (spoofed) facebook login. User being unaware will enter the credentials and all those are stored in the hosted attacker fake website

there would be case for "forget password" where user email account (also facebook userid) would be hacked if it is using simple password etc. The "forget password" in facebook will send it to user's primary email account (in this case probably user's facebook userid). attacker got that new facebook password. Also note that sometimes, the "reminder" question in the event of forgetting password can be easily guessed as well e.g. who is the spouse etc - as typically the answer can be found if the user had social information widely available in the web

Nonetheless, I understand that Facebook has security feature in which after 25 or so logins the account is temporarily disabled,to enable the account the account owner must reset his/her account. That may be indirect trigger

for the adhoc network, you should check out firesheep which siphon credentials by hijacking cookie across unprotected WIFI network in hotspot etc. It simply can login to any facebook account without  password. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. See this link @ http://codebutler.com/firesheep

Tony_the_PC-Tuner

The easiest way to hijack a password is through simple phishing.

The client gets an email from someone that says "you have a new message on XYZ website (Facebook, Craigslist, whatever).  

They click on the "look alike" site, and attempt to login to their account.  Their username and password is captured, and the account is instantly compromised.  The hacker who set up the look-alike site gets an alert that he's caught a fly, goes in and changes the real password on the real account.


Start your investigation there.


Your client should go in and immediately change all remaining passwords to every other account they own- and I mean EVERYTHING; bank passwords, ebay, Amazon, whatever.  Change them now, as the hacker may be in the process of analyzing and digesting whatever they have already compromised.
ASKER CERTIFIED SOLUTION
MJCS

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Rartemass

To close with no points, simply select your comment as the solution.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
MJCS

ASKER
Nobody gave me a plausible answer but I was able eventually to duplicate the process myself, therefore answering my own question.