On 11/17/21 9:10 AM, Hans-Martin Mosner via mailop wrote: > Here I want to focus on hacked mail accounts. I can think of two major root > causes but I have no idea about their relative significance:
> * Easily guessable passwords, with two subcauses for exploits: > o Brute force authentication attempts - I'm seeing them regularly, Are you sure it is really *full brute* force attemps and not a *password reuse* attack ? Some of my users have dozens of passwords compromised and an attacker have plenty of information about : 1/ what are the usual password used for an email 2/ what kind of transformations are applied by its user. so that attackers might dramatically limit the volume of trials needed for that kind of attack. Just an example, one of my users have that kind of compromised passwords in "public" lists (some letters have been changed and this account has been disabled for a few years) : - Yt6j8mxx - 123ytm - ytjm0 - Yt6j8M - Yt7j6M - yyt6j8M - yt6j8mm - 123yt6j8m - yt6j8mz - yt6j8mq - yt6j8ma - yt6j8m9 - yt6j8m8 - yt6j8m777 - yt6j8m7 - yt6j8m6 [...] As an attacker, I would try to 1/check each of these passwords 2/ find the most common roots of these passwords and brute force only using usual transformations (in this example, there are case transformations, adding "123" at the beginning, adding a single character at the end, adding several time the same character at the end). I usually see "slow and low" attacks (one password checked per account, per IP and per day) and real brute force attacks are quite uncommon on the mail servers I manage. > and the most egregious networks (e.g. > 5.188.206.0/24) are fully blocked at our mailserver, but some mailops > are > less struct about blocking such abusers. IMHO, the main issue is not really about blocking abusers but being able to identify compromised accounts. > * Malware on client machines where passwords are either stored in a password > vault, or entered manually. You are missing pĥishing attacks and probably compromised servers. > My gut feeling is that some organizations are especially prone to hacked mail > accounts. We're seeing lots of south american government agency users, and > many > accounts at educational institutions. I am afraid the issue is broader than that. Yes, there are many issues with educational institutions (I have seen that kind of cases from all over the world) but I also have seen compromised accounts used to spam from small enterprises (real estates, plumbers, architects, etc.) > The latter are often hosted using Microsoft O365 services, I would say O365 is probably a catalyst and probably not the cause. What you sees usually are the spams. This means the spammer was able to know how to identify compromised accounts *and* he was able to know how to send mails. With any domain using O365, spammers already have all the needed information. The (french banks) phishings I used to receive only from O365 are now also sent directly from servers hosted at universities. I even have received a scam sent from a compromised account at a french ministry. > and I highly suspect that weak passwords for all the > freshly created student accounts may be a major cause, although exfiltrated > password data may be a possibility, too. Brute force on weak passwords seems to be unlikely to me as long as you are using network services. I would think the main issue is passwords reuses. François _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
