Report: Hackers use simple trick to target U.S. presidential campaign and government officials
Hacking email accounts doesn't have to be a sophisticated affair.
We are reminded once again of this fact thanks to a report released Friday by the Microsoft Threat Intelligence Center detailing how a group of hackers targeted the email accounts of journalists, government officials, and the campaign of a U.S. presidential candidate. And here's the thing, the bad actors didn't use some fancy 1337computer skills, but rather employed the oldest trick in the book: the password reset.
According to Microsoft, over a 30-day period in August and September of this year, hackers likely affiliated with the Iranian government went after 241 email accounts and successfully compromised four. The MTIC dubbed the group Phosphorous, and explained how the team operated.
"Phosphorous used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts," reads the blog post. "For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account."
Importantly, MTIC writes that the four compromised accounts were not tied to the U.S. presidential campaign. But, still, this isn't good.
Password-reset features come in many forms, from questions about where you went to high school or your mother's maiden name to sending a link or code to a secondary email address or phone number. The former opens victims up to attack by anyone who knows how Google works, while the latter makes your primary email only as secure as your linked secondary email or cell phone.
A prominent abuse of this feature came in 2008, when a 20-year-old college student accessed Sarah Palin's Yahoo email account. He used information like Palin's ZIP code and birthday to reset her account password and gain access to the email account.
"While the attacks we’re disclosing today were not technically sophisticated," explain MTIC, "they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks."
SEE ALSO:How to find stalkerware on your smartphoneThis warning from Microsoft should serve as a reminder to everyone online that a password alone isn't enough to protect your email — especially if someone is motivated to hack the account. Instead, use multi-factor authentication and for the love of god create a unique password.
Oh, and consider ditching those password-reset questions altogether.
(责任编辑:资讯)
- ·Korea's economy to stop growing without drastic labor change: FKI
- ·New Twitter survey asks about how rules should apply to world leaders
- ·North Korean leader sends handwritten New Year greetings to people
- ·How Facebook, Twitter, YouTube responded to Trump's lies
- ·US Open 2024 livestream: How to watch US Open tennis for free
- ·President Moon returns home after three
- ·You can honor Heather Heyer and other Charlottesville heroes starting today
- ·Guess who's back: Daniel Craig confirms return as James Bond
- ·Webb scientists haven't found a rocky world with air. But now they have a plan.
- ·Joe Biden's North Korea pretend policy will fail
- ·Understanding Relational vs. Non
- ·Joe Biden's North Korea pretend policy will fail
- ·Beeple sells NFT for over $69 million. Yep, you read that right.
- ·Korea was right not to return fire at JSA: Cheong Wa Dae
- ·From Prairie Grasslands to Man
- ·The price of eclipse glasses have more than tripled on Amazon over the last 2 weeks
- ·Energy ministry unveils document to calm dispute over North Korea reactor plan
- ·提高效率降风险 集中检修排隐患
- ·评论丨农事运动会:一场农民的盛会、新农人风采展现的盛会、城乡双向奔赴的盛会
- ·报名截至5月5日!“茂名龙眼”区域公用品牌LOGO征集大赛持续征集中