October 2011
Overview The use of compromised (e.g. stolen credentials or hacked) accounts to send spam and scams has increased throughout 2011 to become a growing percentage of the unwanted email that is being sent by spammers. Commtouch tracks spam, malware and Internet threats through the billions of Internet transactions it sees daily in its cloud-based GlobalView Network. Earlier this year, Commtouch Labs identified the trend of the increasing use of compromised accounts to send spam and malicious email messages; as a complement to the data gleaned from Commtouch s bird s eye view of global email traffic, the following end-user research was compiled, in order to explore issues related to the theft, usage and recovery of these compromised accounts. This document reviews the survey and its results, shares some data from the GlobalView Network, and includes tips for users to prevent their accounts from being hacked or compromised. Introduction THE CHANGING SPAM LANDSCAPE In March 2011, the Rustock botnet, which was responsible for over 30% of global spam, was taken down by a Microsoft-led consortium. In the past, botnet takedowns have resulted in temporary drops in spam levels followed by sustained increases, as spammers created new botnets and resumed their mass mailings. The months following the takedown have not exhibited this pattern however, with spam levels dropping to their lowest levels in several years. This sustained drop indicates that spammers are rethinking the use of large botnets for spam and scam emails as these become less profitable. There are two main reasons for the drop in profitability: 1) Botnets can be taken down (and other high-profile botnets aside from Rustock have been), instantly destroying vast amounts of spam-sending infrastructure. 2) IP reputation based anti-spam has become very effective at blocking spam originating from botnets with typical success rates of 85-95% even before looking at other factors that bring detection rates into the high 90 th percentile. The first issue can be partially sidestepped by running many small botnets. This does not however resolve the second issue how to bypass IP reputation systems. SPAMMERS SWITCH TACTICS In order to bypass the issues with sending spam from botnets, spammers are increasingly moving their traffic from botnets to compromised email accounts wherever possible. The blocking of spam from compromised accounts is more difficult for many anti-spam technologies, since these accounts exist within whitelisted IP address ranges (such as Hotmail or Gmail), thereby neutralizing the effect of any Page 1
solution based on IP address blocking (aka IP Reputation ). Naturally spammers can set up their own accounts rather than compromising others, but email providers obstruct this phenomenon to the best of their ability. The other advantage of a compromised account is that recipients are often more trusting of the information since it comes from a known source. Compromised accounts do, however, present two main disadvantages for spammers: 1) They can only be used for relatively small spam runs of a few hundred or thousand messages without being detected by the provider. This does partially account for the reduced spam levels. 2) The accounts need to be compromised/hacked/stolen first. The new spammer tactic therefore favors compromised accounts delivering smaller volumes of spam with a better delivery rate. INCREASED USE OF COMPROMISED ACCOUNTS The increased preference for compromised accounts is illustrated by the graph below which compares the percentage of spam received over sample periods in Q2 and Q3 2011, where the from field includes Gmail or Hotmail. Based on the IP address, received spam could either be: Sent from a zombie with a phony Gmail or Hotmail address in the from field Or, sent from a compromised or spammer account at Gmail or Hotmail The collected data shows compromised accounts growing in Q3 for both Hotmail and Gmail. Between 28-35% of the spam purportedly from Hotmail comes from real Hotmail accounts that have been compromised or set up by spammers. Gmail spam, on the other hand, is mostly (96-97%) from zombies that simply forge Gmail addresses. Q2 and Q3 2011 analysis of spam from Gmail and Hotmail Source: Commtouch. Page 2
Surveying compromised accounts The increased use of compromised accounts raises several questions: What accounts are targeted? How are the accounts compromised? Are the accounts used for other purposes besides spam and scams? How do users figure out that their account is compromised? How do users regain control of their accounts? To better understand these issues, during September and October 2011, Commtouch initiated a public survey of email users who have had their accounts hacked or credentials stolen. The survey was publicized on LinkedIn, Twitter, Facebook, and the Commtouch Blog. WHICH ACCOUNTS WERE TARGETED Participants were asked which of their account(s) were compromised. Each of the large Webmail providers (Gmail, Yahoo, Hotmail and Facebook) attracted in the range of 15 to 27 % of the attention from cybercriminals. This demonstrates that the value of a compromised account is in the clean IP address, rather than the specific domain of the address. From this point of view, all accounts have a similar value since it is from a well-known domain. Among those who responded other were users of AOL, Comcast and several other providers. Page 3
HOW WAS THE ACCOUNT COMPROMISED The majority of survey respondents 62% were not sure how their account was compromised, indicating that many people typically engage in risky online behavior without realizing it. It is not always easy to figure out how an account gets compromised and retracing steps doesn t always help. None of the respondents believed they had been phished or had been victims of a drive-by download (by following a phony link). It is quite likely that many of the victims simply used easy-to-guess passwords. 15% recalled having used a public Internet terminal or public WiFi prior to the hack. Page 4
WHAT WAS DONE WITH THE STOLEN ACCOUNTS The value of a stolen account is twofold it provides a clean IP address, and in addition there is an element of trust that comes with a message since it is (in most cases) received from a friend or acquaintance. It is not surprising that most compromised accounts 54% are therefore used to send out spam. The second most common type at 12% is the friend stuck overseas scam that blatantly exploits the trust element. Examples of both of these types are provided here. Of the 23% of respondents that did not know how their compromised account had been abused, it may be assumed that these were used for a mix of spam and scams. Page 5
HOW WERE THE ACCOUNT OWNERS MADE AWARE OF THE COMPROMISE In 54% of the cases, the compromised account owners learned of the breach from their friends; it seems no one is as good at pointing out people s errors as their own friends (who also receive the spam and overseas scams). Users probably assume that Gmail, Yahoo, Hotmail and Facebook are keeping an eye out for hacks and other bad stuff. Or alternatively, some users might think that they will notice strange activity in their account as soon as it happens. The results though, indicate that received an official email (15%) and I noticed it myself (31%) are both far behind the rapid alert service known as good friends. Page 6
WHAT ACTION DID ACCOUNT OWNERS TAKE TO RECOVER THEIR ACCOUNTS The modern equivalent of changing the locks seems to be key to regaining control of an email account. Most users 42% seemed to solve the issue with just a password change and some of these added in an antivirus scan for good measure an additional 23%. A surprising 23% of respondents did not do anything to remediate their account, and believed this was a one off event. Some of those who responded other had broached the issue with their email provider. Page 7
Preventing compromised accounts As shown in the survey data, most users could not pinpoint the origin of the compromise. The following hints would probably have prevented many of the stolen accounts that were surveyed: Use passwords that are difficult to guess no keyboard sequences (qwerty, 1234qwer, etc.), no birthdates, no common names. Mix numbers and capital letters. Use different passwords for different sites. If your Gmail is compromised then at least your Facebook or other accounts will be secure. Consider using a password manager that stores all you passwords, generates new ones, and syncs them between your different PCs, laptops, and tablets. Keep your master password complex and safe. We recommend thinking of a sentence that you will easily remember, and then taking the first letter of each word, and substituting numerals for certain letters. For example, if your easily remembered sentence is roses are my wife Dierdre s favorite flowers, your password would start out as ramwdff, then you could switch certain letters with numbers, such as 4 for the letter A, 3 for the letter E, and so forth. This generates a random string that will be very difficult for anyone to guess, but fairly easy for you to remember. Think carefully before using a public Internet terminal consider whether you really need to use these at all. If you do use one then remember to uncheck the remember me box when you log into your email or Facebook. Also don t forget to log out and close the browser window when you are finished. Don t open email attachments or click on links in emails you weren t expecting like UPS delivery notices, invoices from online stores, hotel bill corrections, credit card error letters, etc. Treat all unexpected attachments as malware even if they appear to be only PDF, or Word, or Excel. There are common ways for a malware distributor to hide an executable virus inside what appears to be a PDF or Word document. Don t follow links in Facebook that accompany some hysterical or generic text such as check this out!!!!!, or Thought you might like this!! Avoid Facebook links that promise some current event scoop such as Amy Winehouse pictures!, or Osama bin Laden death video!. To date, there is no Facebook application that allows you to see who has been viewing your page never follow any link that promises this functionality. Never respond to a request for your password no matter how official or urgent the email looks. Page 8
If your email provider offers single-use passwords (for example as Gmail does), implement it. In the case of Gmail, you can either download an application to your mobile phone that generates a single-use password (a string of random numbers that changes every few seconds), or Google will SMS your phone with the password. In this way, if someone is determined to hack into your account, they will need to have access to your mobile phone as well. Finally, be sure to set up a secondary email or phone contact for your Webmail accounts this can be used to help you recover a compromised account. Conclusions Legitimate user Webmail and Facebook accounts are a valuable prize for spammers and scammers. The use of these for spam and scams is expected to increase and users should therefore take basic precautions when they access these in public domains as well as observing sound password management. About Commtouch Commtouch (NASDAQ: CTCH) safeguards the world s leading security companies and service providers with cloud-based Internet security services. A cloud-security pioneer, Commtouch s real-time threat intelligence from its GlobalView Network powers Web security, messaging security and antivirus solutions, protecting thousands of organizations and hundreds of millions of users worldwide. Visit us: and Email us: info@commtouch.com Call us: 650 864 2000 (US) or +972 9 863 6888 (International) Copyright 2011 Commtouch Software Ltd. Recurrent Pattern Detection, RPD, Zero-Hour and GlobalView are trademarks, and Commtouch is a registered trademark, of Commtouch Software Ltd. U.S. Patent No. 6,330,590 is owned by Commtouch.