Not a bad idear, for a second post ;) We dont own the webserver...Quote:
Originally Posted by lazy13
MrEsco
Printable View
Not a bad idear, for a second post ;) We dont own the webserver...Quote:
Originally Posted by lazy13
MrEsco
Good stuff, but now some root cause analysis... what is the common used way to 'hijak' an emailadres?Quote:
Originally Posted by xiphias360
Thx for the input... i will razzle and dazzle them at the meeting of tommorow... for shizzl
MrEsco
Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum. But as far as a common used way, there is none. It's not like you can just launch stealthisaccount.exe -a bob@thecompetition.com and instantly have an account. It's more like invading a country... ;)
[rant]
:sigh: The problem is your client's an idiot. Why is it people who know nothing whatsoever about IT are always so unwaveringly convinced that they know the cause of the problem and who's at fault?Quote:
he accuses his ISP of forwarding his email to the competition.
[/rant]
I seriously doubt you have a hacker on your hands. I'd bet you 95% that the problem is either:
1) Someone internal leaking info, or
2) User error.
Either way, I'd lay money on a people problem, not a system problem.
To echo the above poster, there is no "common way" to "hack" email. You're looking at a question with dozens of solutions.
xiphias360
Whilst I appreciate and applaud your concern, we do actually discuss these matters within reason. Like I am not going to post links to skiddie tools or whatever, but I have reviewed commercial stuff of this nature in the past, as have many other members.Quote:
Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum.
If you have any concerns about what you might want to post, please feel free to PM me or any other Mod or Admin. We do believe in full disclosure, but it is "responsible" full disclosure.
What our friend seems to have here is not the usual account hijacking scenario as I read things. This is a bit more along the lines of industrial/commercial espionage. Nasty, but unfortunately it happens.
Now, this may not even be a true "IT" issue. We could have a "mole" on the inside, his client's greed might have encouraged him (the client) to accept a "trojan horse" account (proper use of Trojan Horse there......... had to read that stuff for my ancient Greek exams :cool:)
I am still waiting to see if we have a general e-mail or client specific ones. If it is the latter, we would need to know (in general) what made the target accounts "special"
Hell, this stuff isn't rocket science, but it is a bit difficult given our means of communication and the time differences between us all?
Keep chipping away at the boulder folks ;)
Well if that's the case then I guess it wouldn't hurt to glaze over a couple things.
Since you touched on the Trojan Horse subject, that is probably the easiest, most cut and dry way a person is going to get inside a place to take a look around without going through the sleepless weeks and efforts of a real hack. Plus it's insanely easy so even Fred who sweeps up out back behind the warehouse could do it. Be warned however, this is not advice, instructions or anything of that nature. Merely a discussion, and should you flip this around and use any of this to try anything to anyone and get caught, the law's heavy hammer will come crashing down on you.
So now, back to the trojan horse. It's very possible your client could be infected with one and not know it. Are his antivirus definitions up to date? Understand that antivirus programs only catch the bad stuff based on their signature. If you take a well known virus that every AV in the world looks for, and run it through some new packer, you change the signature of the file and voila, the AV doesn't know it's a trojan anymore. I used to play with Sub7 back in the day (didn't we all? :D) and while all the AV's looked for it, I had packed it with a no-name hole-in-the-wall packer and was able to send it to friends and family undetected, just for SnG's of course :) It worked for a whole week before McAffe was able to detect it. Norton took another couple weeks after that. And getting someone to download something is sooOoOo easy. Gotta love horney guys. I remember a story in the news about a guy who was duped by a hacker in a chat room claiming to be a young teen. "She" sent him "revealing pictures" that let the hacker rape the retards computer and he ended up scoring passwords that led to another raping of a huge company.
Anywho, the point is, a recent survey showed that most people think they have AV or firewall protection but really don't have any protection at all. Your client could swear on a stack of bibles that he has AV, but then you could look and see that his Norton 30-day free trial that came bundled with his computer expired 2 and a half years ago and couldn't detect sober if it stabbed him in the ass.
But trojans aren't the only thing that could come into play here. A rootkit could be present that gives the other person a 24/7 pass into your computer. Try downloading Rootkit Revealer and see what happens.
Also, is there a firewall installed? What kind? If not give ZoneAlarm a try. It's free and user friendly, and should tell you when and where your packets try to sneek off to, and ask you if you want to let it happen or not.
There's tons of ways to get a trojan or rootkit into another network. Someone could have paid a disgruntled or just plain easily swayed employee to do the job for them. And if you're a fan of the Stealing the Network series, you should remember one of the guys talking about another easy way to get inside. Just burn the trojan/rootkit to a disc and have it autorun. Then toss some other worthless but seemingly interesting stuff on the disc (porn, games, sensitive-looking documents) and label it accordingly, "The Best of Heather Brooks", "Duke Nukem Forever (LEAKED!!)" or "Sales Data". Then "drop" it somewhere near the building and wait for it to phone home and deliver you a set of keys.
Guys,Quote:
Originally Posted by xiphias360
The trojan/rootkit posibility has been explored, nothing has been found... we took the computers almost completly apart, sector by sector
At this moment we're looking into human aspect of this so called 'hack' and it looks like the client is just paranoid. Am just getting my facts straight, i know that attacking an emailserver needs some skill and a lot of free time...
It would mean that the attacker has an clear image of his target, is it possible to discover with a trace route wich server the sender is using?
or is it a bit complicater then that?
Kind regards,
MrEsco
Thx for the concern but am not intrested in de scribbiedidlydoo tools. Am more intrested in 'global' views so we can protect ourselfs against it.Quote:
Originally Posted by nihil
It looks like (if its true) an ilaberate and well organised effort but i doubt it... to many holes in the story of the client. We just need to cover all angles.Quote:
Originally Posted by nihil
General emailQuote:
Originally Posted by nihil
:)Quote:
Originally Posted by nihil
Hah!
That, I feel, is the answer.Quote:
General email
Your client has a customer who is a spy, and he is sending his e-mails to that account as well as all his legitimate ones.
Search for Occam's Razor or KISS ;)
MrEsco, your client does not come across as the sharpest tool in the shed, now does he? :lildevil:
To put it very bluntly, how you tell him that he has **** for brains is down to you old chap :D
One possible idea would be to have your inbound/outbound mail routes through a secure hosted machine elsewhere (outside the ISP).
Ensure that mail in and out only goes via that host, and is encrypted in both directions. That machine can then act as an "MX" record for the customer's domains.
Some hosted email security services already provide such a system; I work for a company which does just this.
If you're using this, even if the ISP's routers were compromised, your email is still safe.
Slarty