In a recent ITWC briefing, Roger A. Grimes, Data-Driven Defense Evangelist, KnowBe4, said there are many types of email attack being employed by hackers today, but he focused on four of them:
- Password hash theft, in which a hacker intercepts and steals an encrypted password;
- Spray attacks, where a hacker defeats restrictions on the number of unauthorized logins allowed;
- Rogue password recoveries, which allow a hacker to change your password, even bypassing multi-factor authentication; and
- Bad form exploits, in which a hacker uses mailbox automation tools to hide an attack.
People are used to getting phishing emails, or having someone ask them for their password. But attacks are growing increasingly sophisticated. Coming in 2023, companies do well to take a deeper dive on the kinds of things hackers are doing.
Password Theft Attacks
Grimes began with password hash theft attacks, which he said was a common enough attack but often done in a “unique” way.
Most people today, he said, know that when they’re asked to create a password or log in to any of the modern OS, their password is converted using a cryptographic hashing algorithm specific to the OS and version. For example, if you go with ‘frog’ for your password, Windows will convert it to what’s called the Windows NT hash, and that gets stored in Windows or on Active Directory network.
As Grimes explained, what attackers have learned that if they can access your hashes, they can then use password hash cracking tools or rainbow tables to brute force what that password hash stands for.
Grimes proceeded to show attendees how simply by opening an email or clicking on a link, people can be put on a course to giving up their password information. He then move on to another not uncommon but often very effective mode of attack called “credential stuffing” or a “spray attack.”
In the past, explained Grimes, hackers would try one password, then another. But they have since evolved their method. But nowadays, he said, “they’ll get a whole lot of login names – often trying to get every login name in an organization – and they’ll guess very slowly, what we call ‘wide, low, and slow.’ They’ll try a couple of passwords now and again, never at a rate faster than what the account lockout policy is.”
The object of this particular game is avoid exceeding whatever threshold the system has in place. The bad news for companies, said Grimes, is that “if [hackers] get locked out, they’ll wait … however long they have to wait for the bad login counter to reset.”
How popular is this type of attack? Grimes said Akamai reported 61 billion credential stuff attacks in only a year and a half – almost 113 million every single day.
Grimes went on to discuss the tools hackers use in spray attacks, and the steps they typically take, and provided helpful intel for companies looking to stay safe from this sort of attack.
Rogue Password Recoveries
Grimes went on to discuss rogue password recoveries. “Most traditional email systems,” he explained, “even if they’re protected by [multifactor authentication], have a self-help portal for people who lose their password. The system will put your account in recovery mode, and send an SMS to your phone. That is the most common way to reset an account password … I don’t have to guess or know your password, I can just have it reset … but it involves sending you an SMS code. Or I can reset it.”
Grimes pointed to an all too common problem: that password recovery questions are often easily guessed by hackers. He presented two disturbing statistics:
- Twenty per cent of recovery questions can be guessed on a hacker’s first try
- Forty per cent of people are unable to recall their own recovery answers
Bad Form Exploits
After providing some excellent password advice and giving attendees some valuable “inside baseball” about hackers’ tendencies and methods when it comes to passwords, Grimes moved on to discuss bad rules and bad forms.
“They have your email address, your passwords,” he said, “which they can then use in a [rules and forms] attack … to completely take over your computer. They do this through your email client via your email rules or filters (or whatever your email system calls it).”
The more sophisticated email clients (Outlook, Gmail, Thunderbird, etc.) allow administrators and users to add customized rules and forms, to enhance the user experience. This, said Grimes, is all the opening hackers need.
“Traditionally, they had to be on your computer [to] use your email system. Now they can use remote hacking tools to remotely install whatever email rule or form they want which has malicious scripting [embedded]. They can format your hard drive. They can eavesdrop on your emails. They can insert hacking tools. They can do back doors.”
Before moving into a Q/A session, Grimes provided an excellent demo of a “bad forms” email attack. After the demo, he provided pro tips for companies looking to get smarter and more alert to this increasingly common, and often deadly, form of cyber-attack.