T 5.103 Misuse of webmail

If user information is not sufficiently verified, attackers can obtain e-mail addresses containing another person's name and undermine that user's reputation by sending spam mail or obscene messages under that name. If a provider allows its customers to choose e-mail addresses freely, an attacker can select an address with which other users make particular associations and use that address to encourage users to act carelessly.

With many webmail providers, the mailbox access username is the same as or derived from the e-mail address. If the password has not been selected carefully enough, or if any number of incorrect password entries are possible, an attacker can find out the password through trial and error and gain full access to the user's account.

Inappropriate user-friendliness often makes it easy for potential attackers to obtain a password and therefore gain full access to someone else's mailbox. A typical example is a mail provider whose start page already contains a "Forgotten your password?" link, which opens a page that prompts the user to provide previously agreed, often easily guessable information. Popular in this case is the date of birth, which, if entered almost correctly, may even prompt with further advice, like "Incorrect month".

Examples:

• The example in T 5.40 Monitoring rooms using computers equipped with microphones describes how a German politician was asked in a forged e-mailed virus warning to open the attached virus protection program, which contained a Trojan horse. The sender address of this e-mail was support@xyz.de, from the domain of her e-mail provider XYZ. She would probably not have opened the e-mail if the sender address was unknown to her.
• In the Web-based e-mail service Hotmail, several security gaps have already been identified. A particular risk is represented by mail-embedded JavaScript that is run when the user reads the e-mail. Malicious JavaScript could, for example, prompt the user to re-enter the password, which would then be sent to the attacker. Because JavaScript can be embedded in HTML-formatted e-mails in numerous ways, filtering of these active contents has, in the past, often been unreliable.

Following a virus warning, it can take several hours before the publisher of the virus protection program can provide the first effective updates and these updates are deployed across all IT systems. E-mails arriving on the mail server during that time can be quarantined. If safeguards are not in place to prevent e-mails being received through webmail accounts, PCs and servers in the LAN can be infected through this route.

Example:

• In late September 2001, the Nimda virus caused excitement. Nimda is a worm which performs a number of damaging actions: It distributes itself as an attachment to e-mails through a known weakness of Microsoft's Internet Information Server (IIS) and through shared drives. It took up to 24 hours before effective signatures for virus protection programs were available after the worm was discovered. In some large companies, users infected their PCs with Nimda through webmail. Through these PCs, in turn, IIS web servers in company network were then infected, which caused significant disruption to LAN activities.