Friday, April 17, 2009

Password Revisitied

I've been hearing a lot about HTTP-based brute-forcing of Web email accounts lately - in particular the use of automated tools - and there are few interesting aspects here that I think commentators are missing.

Firstly, the easiest (and fastest) way to brute-force a webmail account is to not use HTTP. Ignoring the major free-mail services (e.g. gmail, yahoo mail, hotmail, etc.), many people rely upon ISP-provided webmail services for their every-day mail access. What you will find is that these ISP-provided webmail services come bundled with the ability to host your own personal Web site - as part of the service. And, you've probably already guessed it, you use your email address and it's password to access via FTP or WebDAV. Therefore, brute-forcing via FTP/WebDAV is possible - in fact it's not only possible, it's also much faster and more efficient (in many cases, FTP won't lock out the account after too many password guess failures).

Another aspect for consideration is the fact that in most cases today you don't actually need to brute-force the password, instead you can focus on a much smaller subset of probabilities via the "forgotten your password" interfaces. While an account password may be 8 characters long and contain numbers, uppercase characters and extended characters, the password recovery may be as simple as guessing a favorite color or pet's name. Even security aware geeks fall for this - and I wonder how many passwords can be recovered by answering the "your favorite movie?" recovery question with "Star Wars"? - too many I bet.

So, what happens after all that? What if you want to "recover" a webmail account (yours or someone elses)? Hire an expert of course...

Password Recovery Services

If you have regular access to the Internet, the odds are pretty high that you’re also making use of the email services from one of the popular free Webmail providers. In fact, most people I know have multiple personal accounts on several of the most common platforms (e.g.,,, etc.).

Unfortunately, remembering the passwords for these accounts can be troublesome – particularly if you don’t use an account regularly or (more commonly nowadays) if you’ve been using some application’s “remember my account/password” functionality.

What happens when you’ve forgotten the password (or never knew it to begin with)? If contacting the email provider and answering the “forgotten password” questions hasn’t worked, there are several ways to gain access to the password.

If it’s been “remembered” by the Web browser or “saved” by the email client (e.g. Microsoft Outlook) there are several installable tools freely available to help recover the password. Most of the tools are very small and effectively do a little registry or memory hooking to “see behind” the *** asterisks, and present the password back to you. Meanwhile, others perform a little crypto magic and decode the stored password from somewhere else on the host.

I’ve used these tools many times in the past – both personally (e.g. recovering passwords for DSL modem dialup's when trying to migrate to a replacement PC) and professionally (having gained control of a remote host during penetration testing and needed to recover other user-level passwords for deeper penetration) – but you have to be pretty careful. Today, more often than not, you’ll find many of these “free” tools come bundled with spyware and keyloggers built in.

Someone Else’s Account

OK, but what if you’re in need of hacking in to someone else’s free Internet email account? What about if you don’t want the owner of the account to know you’re interested in getting their password and gaining access to their account? Well, in this age of hacking-as-a-service, you’d be right in guessing that it’s pretty easy to engage on-demand “password recovery” hacking services.

But why would someone want to use these hacking services? Funnily enough, the hacking-as-a-service web sites themselves will give you plenty of excuses why you’d want to engage their services in breaking in to personal email accounts…

  • Online Infidelity (Cheating Spouses)
  • Identifying Cyber Stalkers
  • Internet Security Audit
  • Background Search
  • Online Fraud Investigations
  • Employee Data Theft
  • Cyber harassment
  • Internet Surveillance
  • Password Recovery
  • Identity Theft
  • EBay (Online Auction) Fraud
  • Child Predators and Pornography

I think most people have a fair amount of personal information in their free webmail accounts. With the webmail providers continuously increasing their free storage capabilities (and making it very difficult to actually “delete” any emails), most users probably have several years of stored emails – emails likely containing order confirmation details, photo’s of loved ones, banking and personal account details, address details, etc. – all of which has a value to an identity thief and can be sold through any number of channels.

But it can go further than that. It must be hard for some employers not to engage these services themselves. How many times have you seen farewell emails go around the corporate email system with the leaving employee saying that they can be contacted at such-and-such webmail address? What if that farewell was from a manager or executive who was off to work for a competitor, or launch a start-up organization, and the likelihood of other employees following them was high? If the (former) employer could inspect that webmail account every so often they could probably figure out who was about to jump ship and maybe take preventative action.

Is it Legal?

Depending upon which country you happen to be living in, maybe – but more than likely “probably not”. You’d have to check with your own legal team (I’m not a legal expert), but the services being provided sound pretty-much like criminal hacking to me. At the very least they’re going to breach the terms and conditions of the webmail provider.

You’ll also find that many of the hacking-as-a-service providers will have their own “terms and conditions” and disclaimers for self preservation. By way of example, here’s a snippet from one such site:

"Use of Sites Services
We don't have any partnership or alliance with Yahoo, Hotmail, AOL, Rediffmail. If you lost your password from these sites you have to first contact the corresponding authority. We are recovering passwords using some of our softwares, brute forcing and dictionary attacks. We will not responsible for any damage occur in the email id you supplied.
We will not crack passwords of another persons. If you are contacting us to crack another users password, that will be 100% with your own risk. Password hacking of another persons account is illegal. So all legal and government actions relating to the case is against you only.”

Service Levels and Reassurances

Competition in the password hacking business is fierce, and you’ll find no shortage of suppliers. At the moment the market is fragmented, with many smaller hacking-as-a-service providers specializing in a handful of local country-specific webmail providers. For example, a quick search will reveal dozens of specialist Russian and Czech sites focusing on popular .ru webmail services – such as (,, and (,,,,,,,,,,,,,,

I’ve also come across a lot of portals that “specialize” in hacking any email account as long as it doesn’t belong to a .gov or .edu domain (which is interesting in its own right). But I’ve also stumbled across a few that cater exclusively to .gov and .edu mail services - so none are "safe".

That said, you’ll also find the competition has driven some of the larger international service providers to present polished commercial facades that promote the quality and professionalization of their services, with many offering money-back guarantees should they fail to retrieve the password of the account you’re interested in.

While most search engines will quickly uncover stacks of service providers, you’ll also come across lots of hacker forum postings promoting their services – each offering their own unique reassurances of their service. For example, with the help of an online translator:

To start probably need to reassure potential customers:
A) We are not advances.
[i.e. they do not need advanced payment]
B) We are carrying out transactions through the guarantors of the forum in which you find this announcement.
C) We provide daily report on the work done.
D) We are not physically stronger orders.
E) We maintain our established time frame.
F) We are polite and attentive, what you want.
About rules, see no need to write, because each order individually discussed with the client.

How much does it cost?

Whether you’re dealing with the hacking-as-a-service providers Web portal, or directly with the password recovery purveyor, “100” appears to be a popular figure for a single email account. That “100” may be in US dollars, Web-money WMZ, or some other form of currency, and can be paid using any of the usual online payment systems.

In the majority of cases, the providers do not require advanced payment, and the process of engaging a service provider is pretty easy. For example, the Crackpal service (pictured above) lists five easy steps to the password recovery of your targeted webmail account:

  1. Email the target id to or click to order password
  2. After Successful Crack we will send you the proofs
  3. Verify proofs and if you are well satisfied then you can reply back
  4. We will send the Detailed Payment information after getting reply
  5. After payment confirmation we will send the original password

Interestingly enough, while several payment options are available, it looks like they will only accept direct bank deposits from Malaysia, Singapore, the Philippines and India – which likely hints at their operational location.

Password recovery prices tend to increase once you move from popular webmail accounts to other email accounts. For example, charges a lofty $200 per retrieval session for POP3 email account passwords…

…and you’ll also uncover plenty of scam artists operating in this field.

Behind the Scenes

There’s actually not a lot going on behind the scenes in the attacks. As you’d expect, in almost all cases the hacking of the targeted email accounts are done through standard automated guessing techniques (e.g. dictionary attacks and brute-forcing) using commonly available tools and scripts.

What you will find though is that some degree of specialization has been necessary by the hacking-as-a-service providers due to CAPTCHA use. The smaller providers appear to be making use of tuned auto-CAPTCHA-breaking scripts, while the other “general” providers are more than likely employing human CAPTCHA breakers (you can find out more details of these CAPCHA breaking trends in an earlier blog entry on Mechanical Turks).

This approach is not necessarily guaranteed to retrieve all passwords – especially if it is a long and complex password (i.e. a “good” password). And it’s often for this reason that the providers won’t charge in advance (most common with fixed price recovery schemes). I suspect that each provider has decided upon a “maximum effort” level (or duration) that they’re will to expend in earning their 100 whatever-monetary-units.

But, as you’d expect, there are also a handful of hacking-as-a-service providers that charge based upon a sliding-scale of effort involved. You’ll often see such portal sites including details of how many IP addresses or botnet agents they will be using in their password recovery efforts – and you can sometimes select how much effort (as in time and agents) you’re willing to pay for.


How do you protect against someone employing these services to hack in to your webmail account? Unfortunately, there is very little you can do beyond the obvious.

  1. Use a webmail provider that is known to have good anti-bruteforce protection (e.g. check out the details of how they handle account lockout processes and alerting).
  2. Use a “good” password. There are plenty of guides on selecting appropriate passwords, but in general make it long and unpredictable. But beware – some webmail services don’t actually allow users to select passwords that would meet the “good” criteria (such as artificially restricting password length to 10 characters). If you’re currently relying on one such webmail provider, I’d recommend changing to another one that does – there’s no shortage of free webmail providers out there.
  3. Don’t keep your entire email history online if at all possible. Delete regularly – especially personal information!

If you’re like me and don’t really use free webmail services that much, but find you need something like them for handling all those bothersome web sites that require an email address so they can send you a confirmation email with a URL to download or access they thing you were actually interested in, then I’d recommend disposable webmail services such as (or

These types of email service allow you to specify any email address you want within that domain (e.g., and then access that “account” anytime without requiring a password. Obviously, they’re no good if you’re expecting any personal information to be received – and most don’t allow you to send emails either.

No comments:

Post a Comment