In 1971, almost two decades before the World Wide Web, Ray Tomlinson sent a message to himself on the ARPANET saying “something like QWERTYUIOP.” It is considered to be the first ever email. Internet mail and its functionality have evolved considerably over half a century, but its core principle has remained unchanged.
Email is meant to allow for asynchronous message exchange over the Internet. Asynchronous communication means that a message can be used at any moment following its creation, no simultaneous interaction between the recipient and the sender is required. A lot of people expected that the rapid growth of an entire branch of communication technology, the advent of chat rooms, social media, online instant messaging, and business communication platforms, such as Microsoft Teams and Slack, would contribute to the demise of email. No such thing has happened. Nowadays, email is still the main communication tool and without an email address we would not be able to sign up for the vast majority of services that were supposed to herald the decline of Internet mail.
The ubiquity of this service, the asynchronism (which we use to store message history), and the users’ disregard for basic Internet safety rules, make email the main target of cybercriminals’ attacks. Phishing, which involves sending emails that look deceptively like the real ones to recipients, is targeted at us all. According to the FBI, phishing was the most common type of cyberattack in 2020. The number of phishing incidents has nearly doubled from 114,702 in 2019 to 241,324 in 2020. Five years ago (in 2016), the number of such incidents was more than 11 times lower.
Most phishing emails contain malicious links directing to copies of popular websites that look similarly to them. These sites, prepared by criminals, usually try to steal user’s access data (login and password) or run malicious scripts exploiting vulnerabilities in user’s software. Often, the phishing message is accompanied by attachments that launch malicious code, if opened by the victim. ESET’s report on threats in 2020 states that the most common attachments are executable files (.exe), macros, MS Office documents, and PDF files.
The second common type of an attack is a direct hack of a mailbox, conducted with the use of a known password or a brute-force method. Practically every day there is a data leak from a larger or a smaller web portal. Frequently, the data contains passwords or their hashes. While in the case of a complex password, guessing it on the basis of the hash is time-consuming, simple passwords consisting of less than 12 characters can now be cracked within a few hours. Unfortunately, users often use even shorter passwords, which could be hacked on a home computer in a dozen or so minutes. The scale of the problem is well presented by an analysis of Alice Henshaw. In 2019, using the Hashcat tool and the AWS infrastructure (rented for $18), 80% of the passwords, originating from a leak containing over 14 million hashes, were cracked within 20 hours.
If the attacker does not have the user’s password, there is always another possibility – an arduous task of forcibly hacking the mailbox through an automated process of attempting to log into it, using the most common passwords.
Security problems with webmail services affect everyone. Public figures are even more vulnerable, for obvious reasons. Over a decade ago, hackers broke into the Belgian Prime Minister’s mailbox. Having gained access to his private emails, they forwarded many of them to the local newspaper.
In 2015, the private email account of the former head of the CIA, John Brennan, was hacked. The cybercriminal responsible for the attack gained access to government documents stored as email attachments on Brennan’s personal account because the Agency’s head sent them from his work email. Screenshots of some of the documents were made public on Twitter, including Brennan’s contact list and phone records of the former CIA Deputy Director Avril Haines.
A successful phishing attack also led to the well-known email data leak. Hillary Clinton’s campaign manager, John Podesta, unknowingly clicked on a malicious link in an email that looked like a message generated by Google. The senders were not from Google, but a group of phishing hackers whom the US government later linked to Russia. Deceived by the cybercriminals and his own advisor, Podesta not only clicked on the malicious link, but also entered the correct login credentials on the website prepared by the cybercriminals. This allowed the hackers to gain access to his email account. Soon after, thousands of Podesta’s emails began to appear on WikiLeaks, ultimately affecting the US presidential election.
In late May 2021, Microsoft informed about a new phishing campaign, targeting government agencies, think tanks, and consultants associated with NGOs, the majority of which operated in the United States. Microsoft attributed this activity to the Russian-based group, responsible for the SolarWinds attack. This activity coincides with an attack carried out against public officials in Poland. At the end of June 2021, a spokesperson for the Minister-Coordinator of Special Services said that:
“The Internal Security Agency (ABW) and the Military Counterintelligence Service (SKW) determined that the list of targets of a sociotechnical attack, carried out by the UNC1151 group, included at least 4,350 email addresses belonging to Polish citizens or appearing in Polish email services. The Polish Special Services possess information that the aggressors are connected to the activities of Russian special services. (...) The list also includes an email address used by Minister Michał Dworczyk. The services responsible for cyber security analyzed several messages sent to the Minister’s address that could have been used for phishing – their content and design was aimed at obtaining login credentials. We also noted several logins from abroad to the email account used by Minister Dworczyk.”
The same group is responsible for hacking the accounts of German politicians. The actions of the UNC1151 group are part of the “Ghostwriter” campaign. Its aim is to destabilize moods and the political situation in Central European countries. As a result of the attack, the documents and correspondence from Minister Dworczyk’s private account were made public on the Telegram platform.
In all of the examples above, apart from the obvious mistake of using private email accounts for work purposes, we have to deal with several other basic types of negligence. We all need to remember that we are responsible for the security of our own correspondence and the one that is entrusted to us. Even the best security protections, offered by service providers, will not defend us from an attack of the criminals if we do not use them. Therefore, how to protect an email account? Let us check whether our passwords are not leaked – we can do it by using the haveibeenpwned.com website. Let us change your passwords to strong ones, preferably with at least 16 characters. We should not use the same password in every case, and, if it is possible, let us remember to enable two-factor authentication.
author: Wiktor Sędkowski
Wiktor Sędkowski graduated in Teleinformatics at the Wrocław University of Science and Technology, specialized in cybersecurity field. He is an expert on cyber threats. CISSP, OSCP and MCTS certificates holder. Worked as an engineer and solution architect for leading IT companies.
This article was written as part of the statutory activities of the Polish think tank Warsaw Institute. If you appreciate the content prepared by our partner, we appeal to you for financial support for this non-profit organisation.