The Perks of Being a Scammer: Thanks for Reusing the Same Password

 Andrew B. Goldberg. Ph.D.
  Jun 27, 2018

When working in technology, especially on the security side, you face many foes that are capable of anything from minion-level obstructions to full-blown battles with powerful adversaries. Playing the hero is rewarding for most of us who make an honest living. However, those who lurk in the shadows causing strife and misfortune experience not only thrills, but further monetize their misdeeds.

Some people like reverse engineering things for fun and the learning experience, yet it’s inevitable that some will take advantage of these exploits for their own gains at another’s expense. Fortunately, some of these folks will use their powers for good; nevertheless, the Internet will never be a truly safe place.

In all the talk about compromised accounts and illegal transactions, there’s minimal talk of the methods and actual gains, especially when it comes to phishing. In the following situation, we’ll apply a “bad guy” lens, telling the story from a scammer perspective, to look at fraudulent communications that lead to unauthorized transactions.

The Scammer Methodology of Using One Account’s Credentials to Get into Your Bank or Other Accounts

As a phisher, I’m well-aware that a sizable number of people don’t take the time to make a unique password for every account. Based on this logic, I will reach out to you in attempt to access what I hope to be a lucrative account by using the guise of a more innocuous service.

Step 1: Determine the Attack Vector

I’m not going to waste my time pretending to be a bank because, for one, I don’t have a great idea of where these emails will end up, meaning that sending a fake Bank of America email to people who bank with Chase or some local credit union won’t do me much good. Secondly, a lot of banks explicitly state they won’t send random emails asking you to verify your credentials, so most people tend to be wary of such communications.

Step 2: Find a Service to Emulate

After some consideration, I conclude a brand forgery of Dropbox should do the trick, as this will limit much of the thought process on the receiving end. Now that I have an idea, I look around until I find a communication from the company that seems both appealing and harmless.

Step 3: Modify my Appearance

To maximize the opportunity of this scam, I’ll need to make a few changes to get people to click the button which will lead them to a fake page I’ve created. I’ll keep the same layout but make subtle changes to the following:

  • Modify content – This was a promotional email for what looks like new HP device purchase, so I’ll leave the brand out since this will likely end up in user’s mailboxes on a wide variety of devices.
  • Alter the button link – Naturally, I want people to visit a page that looks a lot like a Dropbox login page, so I change the link associated with the box to direct people to my phony site.
  • Tweak header attributes – Since I’m not a good enough hacker to have access to a real Dropbox email account, I’ll fake it. I set up a disposable email account, which I plug into an email client where I edit the From and Sender attributes.

My expectations: even though the aesthetics such as positioning as well as the proportions of the text and images won’t be spot on, neither the human eye nor some email scanner will detect these minor deviations.

Step 4: Send the Email

I’ve managed to scrape a ton of working recipient email addresses over the years, so I plug this list into an email blast. Next, I just wait.

Step 5: Tryout Email Credentials

Not everyone is going to care about the free storage from Dropbox and others will look it over, paying no mind. However, for those who fell for this trickery, I now have their email and password combo to login to Dropbox.

Step 6: Plug Credentials into an Email or Other Accounts

I could try to use the credentials I gain for a multitude of services; however, it’s in my best interest to try out the combination to access the individual’s email account. When I succeed here, I can find emails for bank accounts and other services, like eBay or Amazon, that the individual uses regularly. If the same password does not work for those services, access to their email makes it easy to reset the password to something of my choosing. Ultimately, I will use my access to these services to transmit money.

Fake Transactions and Free Money

With each account, I need to move fast. Even though some of these accounts won’t have 2FA (two-factor authentication) setup, a push notification to a mobile device might alert them to the fact that their account is being accessed from an unfamiliar device. I’m sitting behind an obscured VPN, so I’m reasonably safe, especially if my real location isn’t in the U.S., Interpol takes forever to find anyone, plus you typically need to steal at least $10,000 in a single scam before you become a concern.

In the following scenarios, this is how I get your money:

  • Bank Account – Too easy. I simply use a service like MoneyGram to send money to an account I’ll use for a short time before drawing too much attention.
  • Amazon or eBay – I have fake products setup under verified accounts I’ll use on a temporary basis. I’ve made a handful of fake transactions between accounts I own so my store or accounts on either site appear legitimate. I use your account to buy my VMware eBooks for $5000 and wait for the money to appear on my end.
  • Do Nothing – Some of the accounts I’ve accessed don’t seem to have much to offer. As such, I’ll just archive these for a later time.

Naturally, there are many other ways this information could be used to exploit another person, from opening a credit line, using the account for other illegal activity, or outright stealing someone’s identity. As a scam artist, I’m incredibly grateful people don’t mind all the warnings to not use the same password for multiple accounts.

The Perks of Being a Scammer:  Thanks for Reusing the Same Password

Andrew B. Goldberg. Ph.D.

Andrew B. Goldberg, Ph.D. is Chief Scientist at Inky Anti-Phishing Software, leading development at Inky, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks. Besides full-stack development, my background includes machine learning, big data, and natural language processing applied to text and communications data. You can follow Inky on Facebook.

Popular posts

What Do Penguins Eat? Glance at a Marine Diet
Sep 17, 2019
What Do Bears Eat? Surprising Facts

What Do Bears Eat? Surprising Facts

Today, our topic is what do bears eat? We are going to talk about the eating habit of bears. Bears are giant and strong animals. Normally, male bears are larger than female...

Sep 18, 2019
What Do Foxes Eat? Unknown Diet & Habitat

What Do Foxes Eat? Unknown Diet & Habitat

In this article, you will discover what do foxes eat? The foxes belong to the Canidae family. Their appearance resembles the dogs. Moreover, foxes have many similarities wi...

Sep 19, 2019
What Do Mice Eat? Surprising Facts About Mice
Sep 20, 2019
  • Add Comment