How to hack 16 million email accounts
Alex Evans · 24 Jan 2014, 08:11
Published: 24 Jan 2014 08:11 GMT+01:00
- Comms giant pushes anti-spy network (14 Oct 13)
- German hackers crack iPhone security system (24 Sep 13)
- Mass Vodafone hack hits two million users (12 Sep 13)
The digital theft of millions of usernames and passwords was revealed by the Federal Office for Online Security (BSI) on Tuesday, but details of the cyber-attack remain unclear.
In an interview with The Local, Professor Prechelt, who specializes in network security, viruses and hacking, described how the heist was probably pulled off.
How did it happen?
Prechelt confirmed reports that the attack came from a "botnet" – a massive network of computers infected with malware (malicious software) by the culprits, which can be used to force access to those computers.
The hackers most likely installed "keylogger" software on the infected systems, he explained – illegal programs which record everything the user types, to be trawled for personal information.
Combining this with other software, which detects when certain data entry fields are active in internet browsers, makes it easy for the programmes to identify passwords and usernames automatically, which can then be sold en masse.
"If you do this with a lot of computers at the same time, you can collect a lot of data," Prechelt said. "But collecting these 16 million probably took a few months."
Who is behind this?
Theoretically, the heist could be one-man job, according to Prechelt. "One highly competent person could definitely do this,” he said. “There is a black market where you can buy the tech to build up a botnet like this, and after that you don't need any special skill to run it."
But a team of hackers is more likely.
"Once you've got the data you've then got to actually do something with it,” he said. “Making money off it afterwards is another skill set entirely, so it's quite unlikely it was someone working alone."
And selling this information is a big business. In the right hands, it can be used to steal everything from credit card numbers to getting online banking access, either to make purchases and empty accounts, or to sell on to other criminals for the same purpose.
The Frankfurter Allgemeine Zeitung reported on Wednesday that this "flourishing" black market is so flush with stolen data, credit card numbers are sold for as little as $1. Email addresses, meanwhile, can be sold in bulk to spammers for as little as $1 for 1,000 addresses.
Where did this attack come from?
Like most cyber-crime, it is difficult to say where the culprits are based, but the fact that around half the hacked accounts were German-based addresses tells us much about the hackers' intentions, according to Prechelt.
"It seems they had Germany in their sights," he said. "Whatever they hope to do [with the data] after the attack, it has been planned with German circumstances in mind – that's why they targeted German users."
While the hackers could be based anywhere in the world, the fact they targeted Germany could suggest they were planning to sell the data to criminals active in the country.
"If you have a customer willing to buy the data, who's planning activities in Germany, then it's best to focus efforts on collecting that data in particular,” he said.
And another benefit of limiting the target area is stealth. Prechelt said: "Narrowing the range of the attack means the chances of being discovered are a bit lower. If you try something on a global scale, there are more people who could get on your trail."
How can you protect yourself?
"The biggest chance of picking up a virus is hanging round the darker nooks and crannies of the web, on dubious websites and downloading from questionable sources," Prechelt said.
But avoiding dodgy websites isn't necessarily a solution as a site could still be dangerous even if it is reputable. Any website that isn't totally secure can be "manipulated by hackers to infect computers with the sort of programs used for the data theft reported on Tuesday, Prechelt said.
"These seemingly reputable websites end up infecting thousands of people with malware," he added.
The first priority is good anti-virus software, he insisted, as the longer it takes for a virus to be detected and neutralized, the higher the chance it could do damage to your system - and spread to others.
But decent protective software should find malicious programs and quarantine them before they have a chance to collect any sensitive information.
Anyone worried their email address may have been compromised by the attack can use a website set up by the BSI on Tuesday to check if their details were among those stolen.