by Dancho Danchev
Just how easy is it to hack someone’s email nowadays? Very easy as the process is offered as a managed service within the cybercrime ecosystem.
Over the past couple of months, I have been monitoring an increase in managed email hacking services. These services basically offered everyone the ability to claim someone else’s email through email hacking performed on behalf of the vendor. Such services have been circulating in the wild since early 2008. Shall we take a peek at their latest market proposition?
Let’s profile a managed email hacking service offering to hack Gmail and Yahoo accounts.
The service I’m going to profile is called Vzlom Pochta, which is literally translated as breaking into an email account. The service offers guarantees for prospective customers. For instance, in order for the vendor to confirm that the email has been broken into, they will include a screenshot, copy of the victim’s address book, and copies of the email the customer has sent to the victim. Within the cybercrime ecosystem, these services are often pitched as password recovery services, clearly attempting to legalize their practices.
Translated market proposition:
We work with wholesale customers. If you are a regular customer, you also are entitled to a discount. More information about the prices of services and cracking discounts, please see the section PRICES.Ordering hacking email (soaps) with us, you can be 100% confident in the anonymity of hacking mail. We guarantee a ANNONIMNOST your order, and that the victim of cracking the password e-mail will learn nothing and no suspects. More on this page WARRANTIES. Before payment is strongly suggested to read the section on the order of mutual PAYMENT. Finally, if you do not have any additional questions, you can order the break-mail directly from our website using the order form on the Contact Us page.Instead of a conclusion. Yes, it really works. Much to ask of those who “just want to see how to hack e-mail” is not going to pay, to pass by and not make empty orders are not wasting our time wasted. If you placed an order and refuse to pay, we reserve the right to notify the victim hacking mail. We do not work with social networking and dating services and do not carry breaking Classmates and VKontakte. We can only crack the e-mail inbox! That is all I would like to add. We hope for fruitful cooperation.
The prices for hacking the emails are as follows:
- Mail.ru, Inbox.ru, List.ru, Bk.ru – 2000 rubles
- Yandex.ru – 2500 rubles
- Rambler.ru – 2500 rubles
- Google.com – 4000 rubles
- Yahoo!.com – 8000 rubles
DIY email brute-forcing tools have been around for years, with their modern alternatives coming with built-in CAPTCHA-solving support for the login page, thanks to vendors offering CAPTCHA solving services. The overall increase in the availability of such managed email hacking services, is the direct result of DIY web-based kits exploiting multiple passive and active XSS vulnerabilities — now patched — within their Web interfaces. That leaves botnet data mining for stolen passwords, and plain simple social engineering and spear phishing attacks in the arsenal of the attackers.
Just how easy is it to hack someone’s email? Let’s just say it used to be way easier than it is for the time being. Despite the fact that end users are choosing easy to brute force passwords, and the fact that their password resetting questions are easily guessed, recent product features introduced by Yahoo! Mail and Gmail, make it increasingly harder to hack into someone’s email.
In February, 2011, Gmail introduced two-factor authentication, followed by Yahoo! Mail in December 2011, making in increasingly harder to hack into someone’s email.
Monitoring of the service is ongoing. Updates will be posted as soon as they update their underground market proposition.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
So they can just bruteforce an account login? Doesn’t Google/these other services implement rate limiting? I know Google will throw up a CAPTCHA if you fail more than 3 times or so.
I don’t understand how they are doing this.
Modern brute-forcing tools have built-in CAPTCHA solving API that relays the CAPTCHA to a vendor of CAPTCHA solving services. Find more details about these vendors here:
http://www.zdnet.com/blog/security/inside-indias-captcha-solving-economy/1835
Best,
Dancho
These blog posts are all very interesting in an academic sort of way. But, what I want to know is: Does my Webroot Secure Anywhere package protect me? If not, why not? And what should I be doing in addition to secure my Internet activities?
Due to the nature of these services using outsourced hackers to actually carry out the hacks it’s hard to say what exact methods each of these services uses to perform the hack. As mentioned, botnets, social engineering tricks and spear phishing attacks are all used by these hackers and all take different methods to combat them. While Webroot SecureAnywhere protects against a plethora of attacks much of the security of your email account is up to you – most namely your choice of a password and your vigilance in responding to, or not responding to phishing attempts. Webroot SecureAnywhere Complete has a password manager built into it that encrypts your passwords and makes them easy to manage and also much more difficult to hack. Using social engineering to manipulate people to willingly provide their login and/or password can happen on almost any online platform you can think of and is up to the user to be aware of the deception and not give-up their personal information to anyone.
Thanks for the advice and reply.
This is one argument for the use of an email solution that uses a pop3/smtp client (such as Outlook) that downloads and keeps your mail on your local hard drive. I notice the services that they offer to “hack” are all web based email services.
I wonder how these “hackers” would go breaking into a local email store without resorting to social engineering tactics
I’ve been reading a lot of your blogs and loving the information and knowledge you provide…I really can NOW believe that people are breaking into email accounts and telling the authorities that they are only recoving passwords for the user…Right?
Okay…That is really wrong and your articles make me want to really rethink what I’m doing with my emails accounts…I don’t even know if someone can get into my account…Or if someone is in there now…Wow…
Plus, you information on those now “brute-forcing tools” that can break through that CAPTCHA safety gate and get you!
It’s really amazing you know this stuff and tell others…
I just don’t get it…Being older I need to start telling all my friends about the power of your knowledge…I have to be careful…Thanks again for you help…
I don’t have time, although I would love to respond to all you articles, blogs or words, but you really have opened up my world today on so many things…Just learning a lot of this now!
🙂