(WEB HOST INDUSTRY REVIEW) — In the wake of the news reports this week about the FBI’s latest crackdown on phishing, which identified at least 100 suspects that allegedly hijacked many webmail accounts, users are increasingly conscious about the threat of their email account being rifled though. Other aspects of victims’ online lives, however, are also impacted, according to Symantec’s MessageLabs (www.messagelabs.com) division.
MessageLabs reports that phishers who gain access to an email account are likely to have access to a host of other online services the victim uses such as social networks — all they need to do is try the password reminder links from the login pages, giving them access to other personal information stored online.
“A user’s unique email address is often used to authenticate a number of websites, including social networking sites and Instant Messaging on a public instant messaging network,” Symantec MessageLabs intelligence senior analyst Paul Wood said in a statement. “If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID.”
Over the last year, MessageLabs Intelligence has tracked a number of phishing attacks using IM whereby phisheres collected real IM user account information and passwords and used them to send commercial messages to everyone on the user’s buddy list. An invitation to view a funny video or embarrassing pictures by clicking on a link in an IM was the bait and the landing site would then ask the victim to log in with their IM user name and password, which for public IM networks, the user name is often the same as the web-based email account.
Phishing, however, is just one of the many ways criminals can gain access to webmail accounts. MessageLabs Intelligence has reported an increase in the number of “brute-force” password breaking attempts that run the entire dictionary through the password field of online webmail accounts. Users with simple or weak passwords are the most vulnerable. On the website, an attacker will be asked to solve a CAPTCHA puzzle to prove they are a real person. CAPTCHAs can be easily bypassed using a variety of CAPTCHA-breaking tools.
These findings make it more important than ever for webmail providers to implement “password strength” ratings and warn users to be careful when opening links and attachments.
No related posts.
