EMAIL HACKING
Never give out
5.Side jacking(Session Hijacking)
Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and also the customers as they also want their credit card info secured.
Email hacking is illegal access to an email account or email correspondence.Email on the internet is now commonly sent by the Simple Mail Transfer Protocol (SMTP). This does not encrypt the text of emails and so intercepted mail can be read easily unless the user adds their own encryption. The identity of the sender or addressee of an email is not authenticated and this provides opportunities for abuse such as spoofing.
Email Spoofing
Email spoofing is a technique used by hackers to fraudulently send email messages in which the sender address and other parts of the email header are altered to appear as though the email originated from a source other than its actual source. Hackers use this method to disguise the actual email address from which phishing and spam messages are sent and often use email spoofing in conjunction with Web page spoofing to trick users into providing personal and confidential information.
Software is usually used to collect or generate the email addresses that are spoofed. Hackers may create a virus that examines the contact information on an infected computer. That information is collected and sent to the hacker who then uses another piece of software a mass email program to send out bogus emails using the addresses collected.
Alternatively, hackers may use software that generates random email addresses to use to disguise the actual origin of the message being sent.
Types of email hacking
1.Phishing
2.RATS(remote administration tools)
3.Key logging
4.Social Engineering(technique used by attacker by answering security question)
5.Side jacking(Session Hijacking)
6.From the mail server
1.Phishing
Phishing is an e-mail fraud method in which the Hacker sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, Best Buy, and America Online. A phishing expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait.
Techniques used within Phishing emails
1.Official looking and sounding emails
2.Copies of legitimate corporate emails with minor URL changes
3.HTML based email used to confuse target URL information
4.Standard virus/worm attachments to emails
5.A excess of anti spam-detection inclusions
6.Crafting of “personalized” or unique email messages
7.Fake postings to popular message boards and mailing lists
8.Use of fake “Mail From:” addresses and open mail relays for disguising the source of the email
An Example of a Fake Gmail Home Page
Things to keep in mind to avoid Phising attacks
1 Most fake communications convey a sense of urgency by threatening discontinued service
2.Many fraudulent emails contain misspellings, incorrect grammar, and poor punctuation.
3 Links within the fake email may appear valid but deliver you to a fradulent site.
4.Phishing emails often use generic salutations like "Dear Customer," or "Dear account holder," instead of your nameThe address from which the email was sent is often not one from the company it claims to be.
An Example Of a Fake Email
2.RATS(remote administration tools)
A RAT is also a shortcut called Remote Administrator Tool. It is mostly used for malicious
purposes, such as controlling PC’s, stealing victims data, deleting or editing some files. You
can only infect someone by sending him file called Server and they need to click it.
3.Key logging
Keystroke logging (more often called keylogging or "keyloggers") is the action of tracking (or logging) the keys struck on a keyboard, typically in a secret manner so that the person using the keyboard is unaware that their actions are being monitored. There are numerous key logging methods, ranging from hardware and software-based approaches to electromagnetic and acoustic analysis.
Types Of Keyloggers
1.Software-based Keyloggers
1.Software-based Keyloggers
2.Hardware-based Keyloggers
1.Software-based Keyloggers
Software based Keyloggers record each and every keystroke typed with the help of a Software.These keystrokes are stored in a log file.
An example of Keystroke log file
2.Hardware-based Keyloggers
Hardware based keyloggers record each and every keystroke typed with the help of a
Hardware device.
An Example of a typical Hardware Keylogger
An Example of how Hardware Keyloggers are connected to the system.
Countermeasures
Use of Virtual keyboard or On-Screen Keyborad can be an effective method to avoid
keyloggers.But,it will not work under certain circumstances.
4.Social Engineering(technique used by attacker by
answering security question)
Social engineering is the human side of breaking into a corporate network. Companies like ours with authentication processes, firewalls, VPNs and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don’t know or failing to ask the right questions.
Forms of Social Engineering
Social engineering is not limited to phone calls; many organizations have reported cases involving visitors impersonating a telephone repair technician requesting access to a wiring closet or a new member of the IT department needing help accessing a file.
People, for the most part, look at social engineering as an attack on their intelligence and no one wants to be considered “ignorant” enough to have been a victim. It’s important to remember that no matter who you are, you are susceptible to a social engineering attack.
If you suspect social engineering – don’t be afraid to ask questions and/or notify your IT department. If a caller requests information that is technical in nature, please refer them to your IT department.
How to prevent social Engineering
1.usernames; Administrators should know it or can find out themselves
2.passwords; Administrators can ask your to enter it into the computer, but don't tell anyone
3.ID numbers
4.PIN numbers
5.server names
6.system information
Session Hijacking is an attack by which a hacker exploits a valid computer session and gains access to a client’s session identifier. Since HTTP is a stateless protocol, when a user logs into a website, a session is created on that Web Server for that user, this session contains all this user's information being used by the server so the username and password is not needed at every page request. The server uses a unique identifier(Session Identifier) to authenticate this user to this session, this session identifier is passed between the web server and the user's computer at every request. Session Hijacking is an attack by which the hacker steals this user's session identifier and then sends this session identifier as their own to the server and tricks the server into thinking they are that user.
After gaining access to a client’s session identifier for a website, the hacker then injects the client’s session identifier into his/her browser. From then on, when that attacker connects to that website, since his session identifier is the same as the authentic user, he will be logged in as that userand will have access to all of that user’s information and privileges on that website. Note - attackers cannot get a user’s password using session hijacking.
1. Use Secure Connections (Achieved through Secure Socket Layer(SSL) as much as possible, since SSL creates an encrypted connection between the client and server, any data the attacker steals during this transfer would be useless to them. However, SSL does not fully secure against this attack, and hackers can still use session hijacking even over HTTPS
2. Regenerate user's session identifier often, therefore, even though the attacker may manage to steal a user's session identifier, when it is regenerated, the Session Identifier he stole would be useless.
3. You can implement an IP Address Check to match a user's Session Identifier to his/her IP Address. However this may have its limitations.
6.From the mail server
0 comments:
Post a Comment