NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA Listmaster

NRT-0612 Internet password recovery services may be criminal operation:


Internet password‑recovery services that promise to help find lost passwords from Webmail message services may instead be 'hackers‑for‑hire,' according to an online news article. Chief Security Strategist for IBM's Internet Security Systems Unit, Gunter Oilman, published a blog about the password‑cracking services after doing research on them.

Webmail services such as Gmail, Hotmail, and Yahoo are widely used as a quick, low‑cost alternative to more sophisticated e‑mail services offered by Internet Service Providers or corporations, and many Internet users have at least one Webmail account for personal messages when they cannot get access to the Internet, said Oilman.

He noted that a hacker can find a full suite of Webmail‑cracking tools on the Internet for between $300 to $600, complete with the ability to do brute‑force "guessing" of simple passwords and enhanced tools for penetrating the CAPTCHA authentication methods used on Webmail services.

Oilman said these services now are being turned into hack‑for‑hire services. Such services have been around for about two years, but today's CAPTCHA‑breaking methods have become so effective that for about $100, the service provider cannot only promise to provide the password to a specific Webmail account, but it can also provide subsequent passwords if the legitimate owner should change passwords.

"These services can essentially give you a 'lifetime service contract' that you will always know the password to that account," said Oilman.

[darkreading.com 10Sep08; blogs.iss.net 08Sep08]


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Friday, 10-Oct-2008 11:56:46 EDT