Site icon IT World Canada

Security expert dives deeply on four types of email attack

In a recent ITWC briefing, Roger A. Grimes, Data-Driven Defense Evangelist, KnowBe4, said there are many types of email attack being employed by hackers today, but he focused on four of them:

People are used to getting phishing emails, or having someone ask them for their password. But attacks are growing increasingly sophisticated. Coming in 2023, companies do well to take a deeper dive on the kinds of things hackers are doing.

View on demand: Incredible Email Hacks You’d Never Expect and How You Can Stop Them

Password Theft Attacks

Grimes began with password hash theft attacks, which he said was a common enough attack but often done in a “unique” way.

Most people today, he said, know that when they’re asked to create a password or log in to any of the modern OS, their password is converted using a cryptographic hashing algorithm specific to the OS and version. For example, if you go with ‘frog’ for your password, Windows will convert it to what’s called the Windows NT hash, and that gets stored in Windows or on Active Directory network.

As Grimes explained, what attackers have learned that if they can access your hashes, they can then use password hash cracking tools or rainbow tables to brute force what that password hash stands for.

Spray Attacks

Grimes proceeded to show attendees how simply by opening an email or clicking on a link, people can be put on a course to giving up their password information. He then move on to another not uncommon but often very effective mode of attack called “credential stuffing” or a “spray attack.”

In the past, explained Grimes, hackers would try one password, then another. But they have since evolved their method. But nowadays, he said, “they’ll get a whole lot of login names – often trying to get every login name in an organization – and they’ll guess very slowly, what we call ‘wide, low, and slow.’ They’ll try a couple of passwords now and again, never at a rate faster than what the account lockout policy is.”

The object of this particular game is avoid exceeding whatever threshold the system has in place. The bad news for companies, said Grimes, is that “if [hackers] get locked out, they’ll wait … however long they have to wait for the bad login counter to reset.”

How popular is this type of attack? Grimes said Akamai reported 61 billion credential stuff attacks in only a year and a half – almost 113 million every single day.

Grimes went on to discuss the tools hackers use in spray attacks, and the steps they typically take, and provided helpful intel for companies looking to stay safe from this sort of attack.

Rogue Password Recoveries

Grimes went on to discuss rogue password recoveries. “Most traditional email systems,” he explained, “even if they’re protected by [multifactor authentication], have a self-help portal for people who lose their password. The system will put your account in recovery mode, and send an SMS to your phone. That is the most common way to reset an account password … I don’t have to guess or know your password, I can just have it reset … but it involves sending you an SMS code. Or I can reset it.”

Grimes pointed to an all too common problem: that password recovery questions are often easily guessed by hackers. He presented two disturbing statistics:

Exit mobile version