who understands email hacking here?

Matt1959

Free Member
Sep 8, 2006
6,325
1,225
to all you tech wizards out there - I have an ongoing issue with ISP email hacking and am thinking about paying someone to dig very deep into whats been going on and try and find a cause if that is even possible. But before parting with my dosh I do need to know that I am using someone who understands email platforms, hacking and spoofing like the back of their hand . Is there anyone here with the in depth knowledge to look into this for me?

I need to know.....

was my ISP email account hacked
if yes, how was it hacked and when
how was my address book accessed and when
was there an ISP data breach, if so how and when

many thanks
 

Alan

Free Member
  • Aug 16, 2011
    7,089
    1,974
    - was my ISP email account hacked
    Do you mean - was it hacked at the ISP level - unless you have the ISP investigating that will be close to impossible

    - if yes, how was it hacked and when
    As above

    - how was my address book accessed and when
    Where is your address book kept - on server (ISP) or on your PC (what mail client do you use?)

    - was there an ISP data breach, if so how and when
    unless you have the ISP investigating that will be close to impossible

    If you really suspect that the ISP is at fault, then you probably will have to work via the ICO to instigate a security audit of the ISP


    A lot depends on the detail but the most likely causes are, in order of likelyhood
    - malware that you have on your (Windows?) PC
    - a phishing attack (fake login website) got your log in details
    - brute force attack on your email account password, (i.e. weak password)
    - insecure server side email webclient (e.g. un-updated version of Roundcube) with 'backdoor' exploits
    - email in a shared hosting environment (cpanel) where another 'account' has been compromised

    The least likely is that the ISP has an inherent security issue (depending on the size of the ISP and the amount of effort they put into security)
     
    • Like
    Reactions: Matt1959
    Upvote 0

    estwig

    Free Member
    Sep 29, 2006
    13,071
    4,830
    in the cloud
    Maybe not related but I'll throw it out there anyway.

    I have had computer viruses in the past that send me emails from my contacts, that look like they are coming from clients in my contact list. The usual rubbish about action needed from my bank or an invoice needs settling, that kinda thing.

    Are you seeing a virus, malware, whatever it is called, that is actually on your machine and nothing to do with your ISP, or hosting.
     
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    ok the background on this is I and many other users of a major ISP (dont want to name names here publicly but happy via PM) have had their email address books accessed without our knowledge. In my case my contacts have been spoofed (emails containing viruses sent to my contacts seemingly from me). This has been happening since late October last year, to date 8 lots of spoof gone out to my contacts on average every 15 to 20 days hundreds of emails each time.

    When it first happened I realised very quickly as contacts started emailing to tell me and I changed my password straight away. Predictably this made no difference as my contact list had already been accessed.

    There has never been any trace in my sent items of spam being sent.

    The account in question is the ISP direct not a mail client.

    The ISP deny all knowledge. Affected users have contacted the ICO but no progress made.

    I use a MAC and no viruses on it when checked after first spoof went out. I take It security very seriously and know not to click links etc

    I do understand all the points made above but affected users have all had their contact lists accessed and spoof sent out all during the same time period. It seems like I'm at a dead end here unless someone can shed light on something as I am not techy minded. Like I said, I'm happy to pay someone to take a look at this if it is considered worthwhile. There are patterns to the spoofing whereby multiple users are seeing spoof sent out on the same date more than once which suggests something more at play here rather than individual PC hacking.

    Just one specific question if possible - if my ISP email acc was brute forced via the password would my ISP 100% know this had happened?
     
    Upvote 0

    Jon Neale

    Free Member
    Jun 14, 2015
    118
    17
    As previously stated it is far more likely to be a localised infection. Run something like malwarebytes on as many devices as you have accessed the account from.

    Most isp have a number of attempts before the account gets locked out this significantly reduces the chances of brute force attacks, similarly they use 2 level authenticating for re-in-statement (text you and email you or similar).

    Yahoo's help page for this kind of issue:
    https://help.yahoo.com/kb/SLN3417.html
     
    • Like
    Reactions: Matt1959
    Upvote 0

    IanG

    Free Member
    May 8, 2011
    962
    200
    Sounds fairly standard.

    ISP or your sent box have no proof because the mails didn't originate there - they just look like they do.

    ISP account and password hasn't been brute forced, it doesn't need to be because the vulnerability is client side somewhere.

    If you are sure your own machines are OK then its someone else in the book who has you in their's. The list of addresses that is acquired by the infection isn't necessarily who is sending or receiving, typically the to and from addresses and normally a load of CC are picked arbitrarily.

    So for example if you have ever emailed me but I'm using a POP box and local software, and that address list gets disclosed then yours is in the wild and therefore a candidate for being used in that way, to look like its sending mails.

    Very little you can do, very little proof of anything, best you can hope for is to ask everyone who has your address in their address book to be as strict as you are (not happening) or examine the mails to get the IP routes from them (pointless - they're all miles away and unregulated).

    I'll gladly take money off you to explain the 'something more at play' bit but its basically that if you know what you're doing you can have email appear anywhere, from anyone, to anyone without any real degree of authentication. Hence why you can see multiple users sending on the same. Those emails are just being populated from the same address pool.

    Very little you can do. Most people who have been on the internet for more than five minutes will know that they're not actually from you, or the people that you know.
     
    • Like
    Reactions: estwig and Matt1959
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    the ISP is Virgin. Sep/ Oct last year they migrated their email platform away from Google due to Google stopping supporting ISPs. This mass spoofing affecting multiple users all started happening Sept/Oct last year coinciding with the migration. In terms of numbers, there are 63 registered users of a help group that are affected but clearly this is the tip of the iceberg.

    Does the above info change anything?!
     
    Upvote 0

    IanG

    Free Member
    May 8, 2011
    962
    200
    Lets assume you are person 1 of the 63.

    Some other user - call them person 20 - has run some malicious code. Emailed to them purporting to be an invoice, tracking info for a parcel etc. And they've opened it.

    Person 20's address book - which contains all 63 people - is now in the wild.

    Every single one of those addresses can now send* email.

    * - Of course they are not sending it themselves, but appearing to do so from computers elsewhere on the internet.

    So it would not be unusual to see 63 emails, each with a unique From: address, at the same time (ie. just after 20 falls victim).

    Person 20 will probably have more than just this group's 63 emails, so you can assume some of those have had the code mailed to them as well. If they run it then you increase the distribution exponentially and your address (and the other 63) will still be in there ready to be sent from an address outside of the original 63.

    You might even find that emails are originating from a friend-of-a-friend computer some number of hops away.

    Worst case you have 100 each, you only need some rudimentary maths to see that is a few million people very quickly assuming they all try and open the email.

    Best case its far less than that but still enough.
     
    • Like
    Reactions: Matt1959
    Upvote 0

    KM-Tiger

    Free Member
    Aug 10, 2003
    10,344
    1
    2,893
    Bexley, Kent
    but its basically that if you know what you're doing you can have email appear anywhere, from anyone, to anyone without any real degree of authentication.
    You don't even need to know what you are doing really.

    Unfortunately the SMTP protocol that is used for sending email has no real checks. Anything can be spoofed.

    It sounds like the OP is the victim of a "joe job".
     
    • Like
    Reactions: Matt1959
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    Lets assume you are person 1 of the 63.

    Some other user - call them person 20 - has run some malicious code. Emailed to them purporting to be an invoice, tracking info for a parcel etc. And they've opened it.

    Person 20's address book - which contains all 63 people - is now in the wild.
    but none of us know each other or have ever emailed each other.....
     
    Upvote 0

    IanG

    Free Member
    May 8, 2011
    962
    200
    Sorry I misunderstood, you just mean you know of 62 other people who have complained.

    Seems plausible, there are probably a few million affected.

    Take my explanation above and edit to mean the address books of your friends, and their friends and their friends. Same principle.

    Then at some point in the future 63 unrelated people from the pool of a few million join a Facebook group.

    Regarding the apparent spike in usage, there is probably a cause. You might find there's a new variant of the code which went undetected by anti-virus for a few days. Or someone who is benefiting from the collection of addresses has launched a new campaign.

    There will be some explanation for it, not necessarily your computer or those of your ISP as you suggest. The details of which you will probably never know, its only speculation but given what you've said about your own computer you have exhausted your own options.

    Sorry to be vague - and I will answer further questions if you have them - but even a full investigation would not yield the type of answers you're looking for. If it were that easy the problem would have been cured years ago but sadly it is still prevalent particularly amongst people who are easily socially engineered. Which is a lot of people in this country and beyond.
     
    • Like
    Reactions: Matt1959
    Upvote 0

    Alan

    Free Member
  • Aug 16, 2011
    7,089
    1,974
    If you can get hold of a full copy (including headers) of the allegedly 'spoofed' email then it can be established if it has indeed been spoofed.

    Whilst not a guarantee of spoof prevention you can added DKIM ( http://www.dkim.org/ ) and SPF ( https://en.wikipedia.org/wiki/Sender_Policy_Framework ) records to your domain (assuming you are using your own domain for email )
     
    • Like
    Reactions: Matt1959
    Upvote 0

    Alan

    Free Member
  • Aug 16, 2011
    7,089
    1,974
    By the way, the foot print of this seems to be the typical Microsoft Word email problem, when a document contains a malicious macro.

    I use a MAC and no viruses

    What do you use on the Mac - do you have Office or just don't use microsoft products?

    What protection are you running on your Mac - I run Bit Defender and it picks up about 100 emails a day with these mailicious attachments
     
    • Like
    Reactions: Matt1959
    Upvote 0

    Alan

    Free Member
  • Aug 16, 2011
    7,089
    1,974
    I see there is quite a long thread on Virgin's community https://community.virginmedia.com/t...romised-official-response/td-p/2894606/page/4

    You won't be able to prove anything examining this issue externally to Virgin, you'd have to get right inside their servers to discover if there really has been breach directly into them, and that can only be (I believe) instigated by a mandatory IS audit ( mandated by the regulatory body ICO )
     
    • Like
    Reactions: Matt1959
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    Alan , I trying hard to get back to some work here.... but just to answer this one (will come back re. your queries on other post later) what do we have to do in order to get the ICO to do more? is there a precedent for this? What sort of numbers of affected users are needed before people take note? 63 at the moment, Ian suggested millions potentially. VM has 4.2m subsrcibers, clearly theres a hill to climb here!

    I really do take onboard everyones points about this being a lost cause but if you dont try....
     
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    @TT, seems people here think it unlikely that my account has been hacked via the password. In any case, this would surely show up at VMs end.?

    I'm still not understanding how its all happened to multiple users who dont know each other at the same time. Seems like a concerted effort by some entity rather than piece meal compromising of individual machines.

    Interesting to see the identical attack in 2011 when Virgin were using Google.

    Nevertherless all above help and advice much appreciated...thanks
     
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    all things considered, including the fact there were two identical spoofing episodes in 2011 and 2015 involving Virgin and bearing in mind the fact that at least 63 unconnected users had their accounts messed with at the same time, what percentage chance do people think these spoofing issues are down to Virgin? 1% chance? 10%? or what figure???
     
    Upvote 0

    Alan

    Free Member
  • Aug 16, 2011
    7,089
    1,974
    Hi Alan , what is the virgin portal exactly?

    in english please;)

    This bit - http://www.virginmedia.com/myvirginmedia

    If it is only 63 users, then I would say that the balance of probabilities access was obtained via phishing - e.g. a clone http://www.virginmedia.com/myvirginmedia and a nice little well formatted email which says something like 'you have a secure message on you virgin account - click here to login '

    If it was 10,000 users then the probability goes up in my mind that it is related to the 'portal' and some 'hole' in that.
     
    • Like
    Reactions: Matt1959
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    Alan thats fair comment re. the published numbers. I've always believed this is the major flaw in my argument. Interesting to read earlier in the thread that ianG felt the 63 could represent many more. Its hard to estimate how many are affected from the stats available.
     
    Upvote 0

    RichardfromOquile

    Free Member
    Aug 12, 2015
    30
    7
    London
    Matt1959, I would suggest moving away from you mail provider to a service like Google apps. Your mail will be a lot safer once it has been scanned by Google. Their spam filters (which include malicious email blocking) are far more advanced than most(all?).

    With regards to getting to the bottom of what happened and how, you won't. To prove anything you would need:
    1. collect up a large sample of the emails received (the originals)
    2. get the emails analysed by a professional
    3. ask the ISP to provide you with the server logs (if the indication was that the mail was sent from them) They will refuse.
    4. Get a court order to force the ISP to hand over the logs (the court will say No.)
    The list is just to illustrate that it will be a tremendous struggle to get any sort understanding of what has happened.

    You are best just moving to a better provider.
     
    • Like
    Reactions: Matt1959
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    thanks Richard.. I moved to Gmail straight after the spoof happened. The spoofed addy was a personal one not a biz one but I had been using for business for a while (lazy!)

    I am interested in something KM Tiger said earlier in the thread - Joe Job??? I've looked this up and it seems to mean an attack specifically targeted at an individual in order to cause maximum reputational damage - not sure where this line of thought comes from as many more users than me were targeted in the same way also if it was a Joe Job as I understand it, the emails would have been much less banal I think in their content?
     
    Upvote 0

    Matt1959

    Free Member
    Sep 8, 2006
    6,325
    1,225
    on the same subject but going off on a tangent - Virgin migrated their emails over from Google in 2015 due to google stopping supporting ISPs - certainly a massive task given VM have 4.2million subscribers so thats not going to happen over a weekend!

    How does this sort of migration happen? would VM do it themselves, if so whats the process and what is involved? would they sub it out, if so to what sort of entity? I imagine this work is very labour intensive - would it go overseas? what happens exactly when a migration of this size occurs?
     
    Upvote 0

    Latest Articles