“Once an attacker gains access to your email, he is you,” says Omri Iluz, our CEO at PerimeterX, in an interview with CNBC. And most will believe that attacker really is you.
As a result of the newly disclosed Yahoo breach last week about a billion people’s accounts have been compromised in 2013 , and these people have had their usernames, encrypted passwords and security questions to reset the passwords exposed for years.
How hackers get into your email
Hackers have numerous ways to get into your personal and business email. Traditional methods include phishing and brute-force login attacks. The latter can be highly successful, especially when using stolen email-password combinations, such as those taken from Yahoo and many other sites that have suffered large-scale data thefts. The average user has just over 6 passwords. The average Internet user in the US is estimated in one study to have over 130 accounts -- do the math, and it’s clear the same password is used across numerous accounts. In other words, many Yahoo passwords will also open bank accounts, ecommerce accounts, work-related applications like salesforce, corporate email, and more.
We can assume that any personal or business account can and will be leaked , at some point. The real issue to confront now is how to block the attacks that will -- eventually -- take advantage of these stolen credentials.
So many email accounts to plunder - and undetected for so long
It’s almost staggering to calculate how much damage criminals may have caused with access to that many Yahoo email account credentials for three years, and by selling them on the dark web. Fraud against individuals is the obvious example; a hacker inside your email account can use Password Reset on all your financial accounts and sleuth out the answers to your security questions. Your ecommerce accounts, gift card balances, and your child’s college fund are likely to be accessible. By changing the contact data on those accounts, the thief can delay discovery of the crime.
There is a well-developed secondary market in “cracked” email accounts. According to TrendMicro, data for one stolen credit card fetches 22 cents on the underground markets, while a compromised email account is worth 14 times as much or more, at $3 and up.
Damage to organizations: Would you bank at a bank that lost millions via email?
No email hack in history is more famous than that of the mail servers at the Democratic National Committee, but hacking of business email is commonplace and rarely makes the news. Once inside an email account, stealing customer lists (and then corrupting or deleting them as sabotage) is not difficult. There are many ways a business email can be used for larger frauds. Besides serious financial loss, these organizations may also suffer lasting damage to their brand reputation and stock value.
Cybercrime has grown up
Individual hackers may still dumpster dive behind your apartment complex and attack accounts one by one, but sophisticated, organized criminal organizations now use automated malicious bots to do much of the grunt work once they penetrate accounts.
These groups upgrade their weaponry very quickly and are both experienced and skilled at evading conventional defenses. Their latest generation of bots let them execute attacks very quickly on a large scale. Fourth-generation bots, as they are known, can carry out a complex series of steps to achieve their goal. These are not the simple first-generation bots of the 1990s. These advanced bots bots are adept at mirroring the behavior of human users. When preparing to make a fraudulent purchase on an ecommerce site, these bots may move the cursor the way a person would, look at products for several seconds, and even post product reviews before using a stolen credit card and a changed delivery address.
Traditional web defenses don’t even see these newer bots, so their attacks can go undetected.
It’s not about Yahoo, it’s what happens after accounts are compromised
Obviously, anyone who had a Yahoo account - or has any accounts, period - needs to update passwords, not reuse them, avoid brain-stumpers like “Password123”, and change their security questions. The bigger picture - bigger than a billion Yahoo accounts - is the speed and impact of malicious bots, which get in the front door, one way or another. Some newer bots can “ride along” with a completely legitimate human user, thereby getting access to Amazon, Facebook, and banking sites. Like any army, they can cause damage faster than a single foot-soldier. Bots are in your life. How do you stop them?
The mandate for business: Bot defense today, not next month
We at PerimeterX argue that the burden to protect user accounts is on the owners of the websites. Nobody else can magically solve this problem. Companies need to make their sites - and customer accounts that could potentially be compromised - safer for their customers. They need to understand how real, human users behave and interact on their web pages. Any visitor session where different behavior is detected can be flagged for restriction or shutdown. It’s likely to be a bot.
In response to new highly sophisticated bots and their latest attacks, there are now tools which examine potentially malicious behavior to detect website users in real time. A hacker’s bot may have penetrated your site using stolen email credentials or through malware-infected browser extensions, but if you can detect the non-humanness of this visitor and shut it down, you can defend effectively, and thus prevent damage.
Data breaches happen continually. Yahoo isn’t alone - it’s just the biggest that we know of, thus far. Individuals tend not to be great password defenders. Once bots cross over the barrier to access, they have the potential to commit fraud at scale, with speed. Since the bad guys have easy access to many millions of account credentials, organizations need to protect their users with the latest defenses. Quickly detecting malicious bot activity is critical. It is incumbent on businesses to scrutinize user behavior on each page and ensure that user accounts are not compromised for fraudulent purposes.