Dada Typo Hosting and Development : http://www.dadatypo.net

Coffeeshops and Security

Oct 28, 2015

A client called me the other day to report that his email account appears to have been hacked. He began receiving replies from friends who had received spam that had been sent from his email address. He had even received a copy of the spam in his own account. My first assumption was that his email address had simply been spoofed, and the real sender had simply disguised the server responsible for sending the mail. I asked him to examine the headers in the message he received (View->Message->Raw Source in Apple's Mail.app). You can follow the series of "Received:" headers to see all the servers through which the mail has passed, back to its origin.

received.jpg

I was surprised to see that the spam had, in fact, originated on our mail server, and had been sent directly from his account. The connection to his account was being made from a dynamic IP address belonging to one of the major phone carriers. The hacker was on a mobile network.

I checked the mail server logs to verify. I found an entry for the first piece of spam sent, following successful authentication using my client's credentials. (I also found evidence of a different IP address trying brute force authentication attempts, with no luck.) Our spam sender, however, appeared to have my client's mail credentials. No brute force needed.

Next, I looked at the webserver logs to see if the webmail interface had been the point of entry. It wasn't. No unusual activity there.

We began to wonder where the recepient addresses came from — only friends and acquaintances of my client had received a copy of the spam email (which, appearing to come from my client, was substantially more likely to be opened than a random email). How had the hacker accessed my client's address book? Our first thought — the webmail interface — was a dead-end. If his laptop had been compromised, why was the email originating from a wireless network account?

My client mentioned using his laptop frequently in coffee shops. Ah...now we're getting somewhere. Without a VPN, all of the traffic on a coffeeshop's wireless network is basically available to anyone willing to make the effort to grab it. I do provide an SSL connection to the mail server, but my client wasn't configured to use it. But that still doesn't explain the address book access, or the recipient list.

By intercepting the network traffic in the coffeeshop, a hacker could readily extract the destination host, username and password sent from your computer to check your mail (really, "readily," as in easily, not to be underestimated). With that information, however, they hardly control your computer.

They can, however, gain full access to your email account. An address book, however, is not an integral part of an email account, so the hacker still doesn't have direct access to your "friends." What they do have, however, is access to your mail folders. Including your "Sent" folder. Where better to find a good list of trusted recipients than from a list of people you have already contacted before?

And that appears to be the solution. The hacker sent out just under 60 emails — not a huge mailbot by any means, but a highly targeted list of recipients more likely to click on spam links than most people.

My client changed his password. That solves the current hack, but frankly, the damage had already been done. This hacker probably never intended to use my client for anything more than his most recent contacts. Focused guerilla spamming instead of carpet bombing: just another annoying weapon in the spammer's arsenal.

On a related note, I had another client report that the "Username" and "Password" labels on the login form to the webmail client had suddenly become links that popped up ads when you hovered over them. It only occurred when he was in a particular coffeeshop, indicating that someone was messing with the network packets in real time, adding links to pages where none existed in the source.

The moral of the story is this: use protection. When in public, at a minimum, connect to authentication services (Facebook, Google, mail servers, etc) over SSL whenever possible. That way, your username and password are a scrambled mess to anyone who intercepts that.

If you have the option available, use a VPN that allows you to tunnel ALL of your traffic through a secure channel, making your entire browsing session unreadable to eavesdroppers and packet sniffers. That's a discussion for a later date.

Page executed in 0.04912281036377 seconds.
Served 1 items from the cache. Queries - total: 7 select: 7