Pages

Defending your ID

How many times have you heard someone ask "how do I hack yahoo or hotmail?"
It’s become a type of joke among frequent visitors of hacker related chat rooms and websites. This article is being written for the sole purpose of defending yourself against such actions.

Lets start by going over a few terms I use so there is no confusion. If you think this is silly, you’d be surprised at the # of emails I get asking what is a...
I figure I’ll just spell it out.
UN = username
PW = password
SW = software
HW = hardware
DL = download
KL = keylogger
RAT = remote administration / access tool.

Dispelling a few rumors:
1. You can use a bruteforcer program to get a Yahoo or Hotmail password.
This simply is not the case. Both Yahoo and Hotmail have security in place specifically designed to stop this kind of attack. Yahoo requires that you enter a random code into an additional field provided as well as the UN and PW after 16 failed login attempts. Failure to enter the correct code will result in a failure to log into the account, even if the UN and PW are correct. Hotmail has a different security feature which sends the user to a ‘lockout’ page, which has NO fields to enter the UN or PW after just one failed attempt. These two methods are effective for eliminating bruteforcing to exploit their service.

2. There are programs that hack Yahoo and Hotmail.
Once again, that’s not entirely true. While there are programs that claim to be able to hack hotmail and yahoo, all they really seem to be are specialized keyloggers and trojans that send the info from a targets computer. The question is then, if you can get a target to download / run a program, then why would you only steal their email account information? Why not simply take control of the whole thing? A lot of people that use these programs are not well versed enough to know how to cover their tracks and can easily be caught when using such programs. Many of these programs are also specially designed to steal information from the computer that tries to run it, thus exploiting the would-be attacker.

3. You can email an automated pw recovery service and trick it to gain the pw of the account you choose.
Ever see something that goes something like this?:
Note: the following is bullshit. Ive added this note since no one seems to read this tutorial and skim through it, then email me complaining that it doesnt work. thus...
THE FOLLOWING IS AN EXAMPLE OF A SCAM.

: : : (([[OMG!11! ]])) : : : (1) send an E-mail to passwordrecoverybot@yahoo.com (2) In the subject box type the screen name of the person whose password you wish to steal (3) In the message box type the following: /cgi-bin/start?v703&login.USER=passmachine&class=supervisor&f={your aol password}&f=27586&javascript=ACTIVE&rsa (4) Send the e-mail with priority set to "high" (red in some mail programs) (5) Wait 2-3 minutes and check your mail (6) Read the message. Where YOUR password was typed before, NOW, the password of the screen name in the code string is there!!!
Why does this work? It´s a special decryption-server that AOL-employees can use to decrypt passwords. The aol backdoor account is a bot that reads your authentification from the message body and identifing you as a valid AOL Staff-member, you will get the password mailed back to you. The trick is that this Bot´s script seems to be a little bit buggy and it automatically recognizes you as an supervisor (AOL-Staff member), even if you use a normal AOL account. This means, that EVERYONE having a valid AOL account can hack as many other accounts as he wants.

Well, there’s my example of a scam designed to steal your information...simply by tricking you into sending your password to the attackers email (passwordrecoverybot@yahoo.com in this example) and the specific things to type and all that bullshit is just that... bullshit. Specificlly, bullshit made to look like it actually does something to the standard pc user and/or layperson (aka target)... but it doesnt.
This may also explain some of the people saying they were hacked. Obviously, don’t send your password to anyone for any reason, ever.

What it all comes down to is this:
If you're looking to get an email ID, you hack the targets PC, not hotmail or yahoo directly. If someone were to actually crack into the hotmail or yahoo servers, they would be logged, traced, and the security flaw patched I would say within 15-50 minutes... maybe 24-48 hours the latest.
These types of companies have a multi million or even billion dollar backing, a literal army of first class techs and security teams, and apply the newest and most sophisticated SW, HW and intrusion detection/protection/management methods the industry has to offer.
Now on the other side of the story, you have an end user who probably hasn’t even installed a single update on their machine, has all the default settings enabled, doesn’t know an .exe file from a .com, uses an un-patched version of IE or AOL, doesn’t know how to enable their firewall or configure it if it is enabled, etc.

In other words, why attack a well-trained, well-equip army guarding a document when you can attack a less able individual to get it?

These are some of the more common methods for "hacking yahoo PWs":

1. fake login page
2. email phishing campaign
3. RAT
4. keyloggers
5. cookie grabber
6. spyware
7. fake programs (rat/kl)
8. physical access to cached PWs
9. Social engineering

At this point I’d like to go over them briefly. You may be expecting me to do a step by step on how to use these methods to exploit someone, but this is not the case in this particular article. See www.informationleak.com for exploitation methods.

1. Fake login page:
This method is generally used on public terminals, and can be quite effective for gathering large numbers of Ids. The way it works is documented in another tutorial I have written, but basically its just a matter of someone making a replication of yahoo or hotmails site, by copying and making minor modifications to their source code and setting their page as the home page. They then set the input fields to send the information to an email address or database. I personally believe the level of success using this method depends on the system, and the amount of creativity involved in making the page look as authentic as possible. To avoid falling victim to this, type the address of the page you are logging into directly into the browser, including the prefix "http://"

2. Email phishing campaign:
Phishing has unfortunately become a household word, though some people associate it with SPAM. Phishing is really just spamming and using deception and trickery to gain information to exploit a service, system, etc. Phishers have posed as banks, email services, law enforcement agents, online contests, teachers, automated services, Nigerians in need of a way to transfer millions in cash, software firms, friends, acquaintances, even the targets themselves. Anyone and anything that you can impersonate, expect a phisher to try. Their emails generally come with an attachment that contains a program like a trojan, RAT or keylogger or virus that either exploits your system searches for PWs and banking info and sends it to the phisher or simply infects or destroys your PC. Some of these scams can be EXTREMELY well done, and almost indistinguishable from a real email (provided by for example, a company they are impersonating). It’s always best to contact the company by phone or mail to confirm anything suspicious.

3. RATs:
Remote administration tools or remote access tools. These programs allow an attacker varying degrees of control over the PC that has the SW installed. The level of access depends on the RAT. Control over the PC allows installation of other malicious software that can be used to track keystrokes, web sites visited, programs accessed, and even take screenshots of the infected computer and send them to an email address covertly. It is also capable of allowing the attacker to make any changes to the system they would like. Obviously, this isn’t good.
Most antivirus and spybot removal SW will detect and remove these types of programs. It’s also a good idea to not only use, but check the logs, settings, permissions and outgoing/incoming traffic of your firewall to prevent this type of thing from happening to you.

4. Keyloggers:
Keyloggers can track keystrokes, web sites visited, programs accessed, and even take screenshots of the infected computer and send them to an email address covertly. Again, most antivirus and spybot removal SW will detect these. If you fear your pc has been comprimised, you can take steps to ensure your PW isnt logged until you can scan for and remove it. Open a word document and write out a list of the UN’s you’ll be using and the a list of the PWs. then cut and paste them accordingly into the fields if you fear a KL or other monitoring device may be in use so that while the SW will pick up the keystrokes, it will not know what PWs match the UNs. If you'd like to take that a step farther, write several random letters and numbers around your PW in the word file and cut out the extra letters until you come out with the UN or PW desired.

5. Cookie grabber:
This method depends on whether or not the target has opted to save or have the computer remember their PW. The information is saved in the cookies and can be used to exploit some mail services. The information can be gained through a website or email containing a script that ‘grabs’ the information. Deleting or not allowing the use of cookies can stop this method.

6. Spyware:
Spyware / adware are small programs installed and executed on a target PC for use as tracking tools generally for advertising purposes. These programs generally rely on web browser vulnerabilities to install and run on your system. However, as previously mentioned, any program that is installed on your PC without your knowledge isn’t good. Some attackers have taken this technology and created spybots particularly designed to send sensitive information about your system to a predetermined mail address or database. This can generally be avoided by updating and patching your browser as often as possible. I personally suggest using Mozilla Firefox as a browser, as it is not as vulnerable as internet explorer and operates in much the same way, and has a similar interface. There are literally THOUSANDS of anti spyware programs available, two that I find work exceptionlly, especially in conjuction with each other is Spybot Search and Destroy and Adaware SE personal. Before you get a spyware removal program, research it and see what the general concensus is as some programs touted as spyware removers actually install spyware on your system.

7. Fake programs:
I mentioned this earlier in this article in the dispelling rumors section. There are programs like booters, hotmail and yahoo hackers, point and click trojans, keyloggers, audio and video SW, etc that contain RATs and other malicious programs. The obvious way to minimize the chances of becoming a victim of this method of exploitation is not to DL ‘shady’ programs (ie. programs that do illegal things). The general rule is "If something sounds too good to be true, it probably is." When DLing programs, make sure that you have researched them, and the company/website it came from. Keep a record of this as well, and check your system often for signs of exploitation.

8. Physical access to cached PWs:
This is in my opinion, the easiest way to snag a PW. Having access to a system where the PW has been "saved" or "remembered" means that the PW is located somewhere on the PC. Where depends on the SW, so the location varies depending on what you’re looking for. There is also a plethora of legitimate programs designed to find the cached PWs of various programs, and present them, even if they are encrypted. Best way to avoid this is to not cache or allow the PC to remember your PWs. You don’t give your PW to anyone, why give it to a machine that can’t decide on its own whether or not to give it out?

9. Social engineering:
This can, and often is combined with any of the above methods. Social engineering is really just exploiting people instead of SW. Social engineers use a variety of ways to trick someone into giving them the information they desire. These cons can be amazingly ingenious, professional and complex, or they can be ridiculously crude and almost laughable. Again, if you have doubts about the legitamacy of something or someone or something just seems strange don’t do it. Don’t give out sensitive information, period. You can always check up on a story or website later.

General Rules:
Think.
Update and scan often.
Look for potential problems, dont wait for them to find you.
Use case sensitive alphanumeric PWs at least 8 characters long and use symbols like @, #, $, _, -, ^, and even ascii characters like "£", etc whenever able.
Dont use the same password for everything.

Be aware that these methods are simply the most common. These are not the only way for someone to get your PW. Unfortunatly, if someone wants something bad enough, they’re probably going to get it. At least by familiarizing yourself with these methods, you can recognize scams and potential attempts to steal your information and avoid it.

It is my hope that this article helps stop you from becoming a victim, and screws a slew of lamers and script kiddies into looking for another hobby.

0 comments: