This Episode of CrackerCast looks at this weeks hacker news and describes the different methods hackers use to hack facebook passwords and all other socialnetworking/email websites services.

Download .mp3 (right-click -> save link as…)

You can subscribe to the podcast feed via one of the two feeds below (might take a day for itunes to update it) :FeedBurner or iTunes

News stories mentioned:

“”

Every time you open your email, the first thing that may greet you are mails from unknown people.  The subject line could have highly diverse topics, ranging from a simple “hi” to something as blatant as “erectile dysfunction.” Well, of course, getting an email from a company selling Viagra could be funny the first time you have it.  It gets a little annoying when these mails keep coming and increasing in volume.  It totally becomes frustrating when your Inbox is filled with these pesky emails that you do not know anymore which ones are valid.  For those who do not know yet, these are called SPAM mails.  The term originates in the late 1990s Monty Python’s Flying Circus comedy series.  In one of the episodes, the term spam has been repeatedly used by a group of Vikings, drowning out all conversations.  As you can see, spam mails also do the same — drown the mailbox.

Spam, whose correct terminology is a marketing mail, is a modern form of advertising and solicitation using modern electronic communications technology. It can be in the form of an unsolicited email, fax, blogs, chat room invitations and post-ups.  Spammers or those people who send this kind of mail will almost do anything to get people’s attention in order to generate traffic and sale. What they do is not very much different to what credit card and insurance companies do, which is called hard selling.  Getting a spam mail is like receiving an anonymous phone call from a fast-talking credit card company representative whose main purpose is to get you to sign up.

Spam mails are sent because they are the most inexpensive way of reaching the most number of people.  Millions of people have email addresses that the chances of a spam mail generating a sale could be quite good.  Traditional forms of advertising costs thousands to millions.  Although not as effective as traditional advertising, spam mails is proven to generate sales to a company who is engaged in this form of marketing.

Companies and even individuals profit from sending spam mails because the process is not expensive.  An individual can become famous through spam, like in the case of the person who made the “I love you” virus in 2000.  Sending spam mails could be tedious at times but the return on investments is high.  For instance, a publishing company that invests in a bulk mailing list for $500 can expect its sales to increase by 30 percent.  If its current sales revenue is $100,000, the increase could be about $30,000.

The first question that comes to mind when receiving an unsolicited mail is the sender.  Who sends these emails?  The answer is anyone.  It could be an organization, an individual, schools, and even the government.  And yes, organized crime groups could probably resort to spam mails when they find a need to do it.

How are spam mails sent?  These mails are sent by thousands in volume using computer servers specifically designed for such a purpose.  In fact, there are companies offering this kind of service to others.  Usually, an Internet Service Provider will have a cap on how many mails could be sent using its connection.  In this regard, companies engaging in bulk mail marketing would allocate one bandwidth for this purpose.  ISPs would block or cancel subscriptions of companies whose mail sending limit is repeatedly violated.

These marketing mails can be sent from anywhere.  As you know, remote access is already possible.  That means, a server in Russia, Korea, and even Afghanistan can be programmed to act as the host for thousands of marketing mails to be sent to people in the United States, Asia, and all parts of the globe connected to the Internet.  A PHP list and scripts to hide the identity or footprint of the sender are normally done to avoid detection and possible recrimination from the law.  Companies set up legitimate recipient email service addresses or website to accommodate those who would like to do business with the spam sender.

One uncommon way of sending bulk marketing mails is through the use of botnets.  These computers are hacked and controlled from the outside, turning them into a “zombie” army.  Botnets can be set up without the owners of the computers being aware of what is happening.  These zombie computers can be told to forward transmissions, like spam mails, and even farm for email addresses that are connected to the network.  This is downright unethical, of course.

How do spammers obtain email addresses?  The most common way for companies to get hold of email addresses is to buy them from the black market.  Bulk email lists are sold for a few hundred dollars, giving the company access to people who could turn out to be potential customers.  But how are these emails gathered?  The process is automated through the use of malwares.  There are software applications that can infiltrate networks and gather email addresses that are stored in every computer’s address book.  These bots can also gather addresses from websites, false website email registration campaigns, and by pressing a link from an email spam.

The kind of spam mails that are sent to users on a daily basis vary.  Some mails are about medicines that are used to correct sexual problems.  Others are about exercise programs.  There are also those who are advertising for government grants and scholarships.  Even online schools also send bulk marketing mails to advertise their institutions and their programs.  Almost all kinds of spam mails can be sent by companies who have access to the Internet and to email addresses.

How to Avoid Getting Spammed

If you are using Outlook, Eudora or Mac OS X Mail:

1. Secure your personal firewall and patch your workstation’s OS security issues or vulnerabilities in order to prevent it from being hacked by Trojans, Viruses and Botnets.
2. Purchase and install reliable anti-virus and anti-Spam applications to assist you in preventing and removing virus and email threats.
3. Never respond to an unsolicited email message.
4. Never sign up with sites that promise to remove your name from spam lists because the opposite happens.
5. Take meaningful action to stop spammers. You can do this by acquiring a third party service like spamcop.net to help fight spam by stopping the sender dead on its tracks.

If you are an email administrator.
1. Secure the network’s firewall and patch server’s OS security issues or vulnerabilities in order to prevent Trojans, Viruses and Botnets from infiltrating the system.
2. Purchase and install reliable anti-virus and anti-Spam applications to assist you in preventing and removing virus and email threats.
3. Install Spam filters like Spamassassin or acquire an appliance like IronMail to filter, eliminate or reduce spam from entering the server.
4. Acquire a third party service like spamcop.net to help fight spam.

“”

I constantly get emails of people asking me how to hack hotmail, hack yahoo, and all the other popular email services. Usually it’s for one of the following moronic cover-ups: It’s my password, I just forgot it. , or my boyfriend this or my girlfriend that. I just don’t understand what possesses them to possibly think that I give a hoot.  Nah, I love you guys, I’m just kidding! Everyone seems to think that there’s some hacking trick that will magically get them the password. Too bad you have to actually learn something. Bummer… eh? Below I have briefly described the most common methods.

Phishing - Phishing is by far the most used and easiest method. The attacker simply sets up a page that looks exactly like the real email login page and tricks people into entering their login information.
Update: Check out the new post on how to create your own phishing page here.

Malware - Attackers can infect computers with malware such as Trojan horses that could extract all the saved passwords on a computer or a key logger that will log all the victims typed passwords.

Guessing - The attacker could literally guess the password if the victim uses an easy password like his/her name, birthday, favorite something, pets name, or something similar. If the attacker knows the victim well enough this attack won’t be that difficult to carry out.

Social Engineering - The attacker could literally ask for your password by calling up the victim and pretending to be an IT employee of the company. Once the victims trust is gained, the attacker would then make up a story saying something like the victims password is needed to do some updates because the user database is down or some other bogus. The attacker could also use social engineering along with a phishing page. This would be done by sending the victim a n email that looks like it is from the real email provider. In the email would be a link to his phishing page telling the victim that he/she needs to login and update or change some information immediately for whatever reason.

If you would like to see in detail how to excecute every one of these methods, see The Hacker’s Underground Handbook.“”