Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1600 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Version 6 Module XIII Hacking Email Accounts Ethical Hacking and Countermeasures v6 Module XIII: Hacking Email Accounts Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1601 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://uk.news.yahoo.com/  News According to a news report by researcher Mark Hofman, a new kind of phishing attack is being regulated that targets specific email accounts of American university students. According to the researchers, this email attack misleads the victims by saying that this message is from administrators who are updating the database. Mark Hofman mentioned in his report, posted on the Internet Storm Center blog, that this attack looks similar to the recent attacks on European ISPs. Attackers use fake email addresses of schools, which are actually hotmail accounts and send spam emails to individual students. Hoffman also suggested that administrators should check for mails that come in large volume and also alert students about this kind of attacks. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1602 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Ways of Getting Email Account Information • Vulnerabilities • Tools • Security Techniques • Creating Strong Passwords • Sign-in Seal This module will familiarize you with: Module Objective This module will familiarize you with:  Ways of Getting Email Account Information  Vulnerabilities  Tools  Security Techniques  Creating Strong Passwords  Sign-In Seal Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1603 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Ways of Getting Email Account Information Tools Security Techniques Vulnerabilities Creating Strong Passwords Sign-in Seal Module Flow Ways of Getting Email Account Information Vulnerabilities Sign-In Seal Tools Creating Strong Passwords Security Techniques Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1604 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1605 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction Hacking email accounts has become a serious threat Email accounts are the repositories where people store their private information or even their business data Due to the widespread use of the Internet techniques and tools hacker can access the user ID and email password  Introduction Nowadays, hacking email accounts has become a serious threat because peoplestore their private and confidential information and sometimes business data in their email account. With the access of user email account, an attacker can retrieve the victim’s private and confidential information. The attacker can also use those accounts for wrong purposes. With the widespread use of Internet, anyone can gain the information to hack the different email accounts such as yahoo and hotmail passwords. Emails are now used as a legal proof of a crime. To gain information regarding email hacking, a basic search with keywords like “hacking yahoo passwords”, “msn messenger hacking tools”, “msn hacking programs”, “hacking yahoo mail”, “hotmail hacking programs”, “hacking yahoo email”, or even something as simple as “hotmail hacking guide” are available on Internet. Users should be educated on different security measures that need to be followed to protect email accounts from crackers. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1606 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ways for Getting Email Account Information Stealing Cookies Social Engineering Password Phishing  Ways for Getting Email Account Information Email account information can be extracted from an individual using many methods. Hackers make use of many things that appear to be from a legitimate source that extracts the information from users. Some ways for getting email account information are by:  Stealing cookies  Social engineering  Password phishing Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1607 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Stealing Cookies If a web site uses a cookie, or a browser contains the cookie, then every time you visit that website, the browser transfers the cookie to that website If a user’s cookie is stolen by an attacker, he/she can impersonate the user If the data present in the cookies is not encrypted, then after stealing the cookies an attacker can see the information which may contain the username and the password  Stealing Cookies A cookie is a small text file that is sent by the web server to a browser and stored on the user’s hard disk when user browses the website. A cookie is created via Perl script, JavaScript, Active Server Pages, etc. Cookies are used to authenticate and identify user to a website. It has information such as user ID, user preferences, username, password, archive shopping cart information, etc. If a website uses a cookie, then first time you visit the site, the server generates the cookies and sends them to the browser. Now, every time when you visit the site, the browser transfers the stored cookies to that site. The website retrieves information stored on the cookie and serves the desired result. The cookie can be only sent to the site that creates it. If a user’s cookie is stolen by an attacker, he/she can impersonate the user. The attacker can view contents of the cookie if the data is not encrypted. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1608 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Social Engineering Social engineering is defined as a “non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.” Social engineering hackers persuade a target to provide information through a believable trick, rather than infecting a computer with malware through a direct attack Most of the persons unwittingly give away key information in an email or by answering questions over the phone such as names of their children, wife, email ID, vehicle number and other sensitive information. Attacker use this information for hacking email accounts  Social Engineering Social engineering is defined as a “non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.” For example, sometimes an email arrives in the inbox saying “there is a problem with your account, please send your username and password by replying to this mail.” Social engineering is the use of power and persuasion to trick people for the purpose of obtaining information or to perform some action. Individuals at any level of business or communicative interaction can make use of this method. All the security measures that organizations adopt turn vague when employees get “socially engineered” by strangers. Some examples of social engineering include unwittingly answering the questions of strangers, replying to spam email, and bragging to coworkers. Social engineers persuade knowledge workers to provide information through a believable trick, rather than infecting a computer with malware through a direct attack. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Email Accounts Module XIII Page | 1609 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Password Phishing The process of tricking user to disclose user name and password by sending fake emails or setting up fake website which mimics sign-in pages is called phishing After gaining Username and password, fraudsters can use personal information to: Commit identity theft Charge your credit card Clear your bank account Change the previous password EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Fraudulent e-mail Messages You might receive an e-mail message from bank asking for updated information The message provides the target user with a link to a legitimate site but redirects the user to a spoofed one That message ask for Login, password, and other sensitive information Attacker can use this information for hacking email accounts