Tags Posts tagged with "Gmail"


by -
0 33

FRANKFURT – Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security.
It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago.

Holden was previously instrumental in uncovering some of the world’s biggest known data breaches, affecting tens of millions of users at Adobe Systems, JPMorgan and Target and exposing them to subsequent cyber crimes.
The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.

After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts – a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world’s three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.

“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” said Holden, the former chief security officer at U.S. brokerage R.W. Baird. “These credentials can be abused multiple times,” he said.

Mysteriously, the hacker asked just 50 roubles – less than $1 – for the entire trove, but gave up the dataset after Hold researchers agreed to post favourable comments about him in hacker forums, Holden said. He said his company’s policy is to refuse to pay for stolen data.

Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web.

Hackers know users cling to favourite passwords, resisting admonitions to change credentials regularly and make them more complex. It’s why attackers reuse old passwords found on one account to try to break into other accounts of the same user.

After being informed of the potential breach of email credentials, Mail.ru spokeswoman Madina Tayupova told Reuters: “We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active.

“As soon as we have enough information we will warn the users who might have been affected,” she said, adding that Mail.ru’s initial checks found no live combinations of usernames and passwords which match existing emails.

A Microsoft spokesman said stolen online credentials was an unfortunate reality. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.

Yahoo and Google did not respond to requests for comment.

Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.

Thousands of other stolen username/password combinations appear to belong to employees of some of the largest U.S. banking, manufacturing and retail companies, he said.

Stolen online account credentials are to blame for 22 percent of big data breaches, according to a recent survey of 325 computer professionals by the Cloud Security Alliance.

In 2014, Holden, a Ukrainian-American who specialises in Eastern European cyber crime threats, uncovered a cache of 1.2 billion unique credentials that marked the world’s biggest-ever recovery of stolen accounts.

His firm studies cyber threats playing out in the forums and chatrooms that make up the criminal underground, speaking to hackers in their native languages while developing profiles of individual criminals.

Holden said efforts to identify the hacker spreading the current trove of data or the source or sources of the stolen accounts would have exposed the investigative methods of his researchers. Because the hacker vacuumed up data from many sources, researchers have dubbed him “The Collector”.

Ten days ago, Milwaukee-based Hold Security began informing organisations affected by the latest data breaches. The company’s policy is to return data it recovers at little or no cost to firms found to have been breached.

“This is stolen data, which is not ours to sell,” said Holden.

by -
0 22

Hackers are getting smarter in fooling us all, and now they are using sophisticated hacking schemes to get into your Gmail.

Yes, Iranian hackers have now discovered a new way to fool Gmail’s tight security system by bypassing its two-step verification – a security process that requires a security code (generally sent via SMS) along with the password in order to log into Gmail account.

Researchers at Citizen Lab released a report on Thursday which shows how the hackers are using text messages and phone-based phishing attacks to circumvent Gmail’s security and take over the Gmail accounts of their targets, specifically political dissidents.

The report detailed and elaborated three types of phishing attacks aimed at Iranian activists. Researchers also found one such attack targeting Jillian York, the Director for International Freedom of Expression at theElectronic Frontier Foundation.

Here’s How the Attack Works

Via Text Messages:

In some cases, the hackers use text messages and send it to their targets. The message appears to come from Google, which warns users of an unauthorized attempt to access their Gmail accounts.

The text message then follows a carefully crafted email notification, also disguised to be from Google, that redirects victims to a “Password Reset Page,” designed to collect the victim’s password.

The hackers then, in real time, use the password to login to the victim’s account and trigger the sending of a security code to the target.

Gmail uses this security code as a two-factor authentication that adds an extra layer of security on top of a Gmail user’s password.

After this, the hackers wait for the targeted victim to enter the code and then collect it through the bogus website, and then use it to take control of the victim’s Gmail account.

Via Phone Call:

In other cases, the hackers contact a target over the phone regarding some fake business proposals that usually promises thousands of dollars.

The fake proposal is then send to the victim’s Gmail account containing a fake Google Drive link that would prompt a victim to login with the Google credentials as well as the two-factor identification code, just like in the case of the text messages.

The users fell for the phishing attacks, as some hackers pretend to be Reuters journalists who wanted to arrange an interview.

Attempts to fool two-factor authentication security are nothing new. We have seen hackers releasing millions of Gmail usernames and passwords on underground online forums.

Source : THN

Google is making it safer and easier to add third-party accounts to Gmail for Android. Soon Gmail users will see the option to add Microsoft and Yahoo accounts via OAuth. That means users will no longer have to enter their user names and passwords into Gmail for Android to add these services.

Instead, Gmail will rely on Microsoft and Yahoo for authorization. If you’re logged in to your Outlook.com account, for example, Microsoft will present users with a button to allow Gmail for Android to access your account. Once that’s done, Microsoft gives Gmail a token (basically a text file) that allows the app access to that account.

If the user isn’t logged in to Microsoft, they’ll have to go through the Outlook.com login process before getting to the OAuth screen.

While OAuth is new to Gmail for Android, it’s something most users should be familiar with. Anyone who’s ever authorized an app to access a Facebook or Twitter account, for example, will be immediately familiar with the Gmail for Android process.

The new Gmail for Android feature is rolling out now. Google says it should be available to all in the next few days.

The impact on you at home: OAuth support offers a higher degree of security, because you don’t have to enter your account details into Gmail for Android. That means an unknown vulnerability in Gmail for Android could never leak your Microsoft or Yahoo credentials, because it doesn’t have them. In the event of a hack, OAuth also allows you to quickly de-authorize Gmail for Android with one click from your Microsoft or Yahoo account settings. In addition, Google says OAuth makes it easier to use added security features like two-step verification, which typically won’t work when you enter a primary password directly into a third-party app.

by -
0 13

Google is reportedly developing a new Gmail feature that will allow users to receive and pay bills directly from their email inbox. The new project is called Pony Express, though that could be an internal code name; Google could go in a different direction with branding when Pony Express launches to consumers.

The service works as a setup asking the user for personal information – including name, address and Social Security – to provide to a third party which would verify his or her identity. Depending on the bill, the user may have to provide a credit card or account number too.

Once that’s done, bills can be paid right within Gmail or Inbox, the company’s other email app that puts a greater focus on organization and surfacing messages that are timely or important.

You can pay these bills with a debit card, credit card, or bank account. Your bills will be organized into a designated folder as well. To keep things nice and neat, and available in case you need to access them in the future.

Indian government has banned the third-party email services in its government offices including Google,Yahoo, Hotmail etc. Indian government officials will now be having pretty much limited access to internet in their offices. Apart from the limited internet, they will be additionally monitored and the content which will be inappropriate for productivity of the officials, will be blocked.

Indian government, led by PM Narendra Modi, has issued the third-party email ban notifications to offices. The notice mentions the use of only National Informatics Centre (NIC) prescribed email services for communicating. The reasons cited are security and low productivity concerns.

The notification is called “Policy on use of Information Technology resources of Government of India” and “E-mail Policy of Government of India” – as reported by Economic Times

“The e-mail services provided by other service providers shall not be used for any official communication. Misuse of these resources can result in unwanted risk and liabilities for the government. NIC may block content which, in the opinion of the organisation concerned, is inappropriate, or may adversely affect the productivity of the users.”

The total number of the government official is about five million and by the end of this year, they are expected to use NIC- the government’s secure email service. To ensure the safe communication of critical and sensitive information, government has allocated Rs. 100 crore for this project.

The policy also contains the terms of usage of social media sites on government networks and using high-security settings on such websites. Users won’t post offensive, threatening, defamatory, bullying, racist, hateful, harassing, obscene or sexist posts or comments which could cause damage to the reputation of the organisation.

Different governments of all over the world have been trying their best in the recent past to secure their secret and important communications after the Snowden saga in United States.

The policy was issued on February 18 and it restricts the use of email service providers other than NIC in government offices.