Thursday, July 24, 2008

Email Hacking Going Commercial

This email hacking as a service offering is the direct result of the public release of a DIY hacking kit consisting of each and every publicly known vulnerability for a variety of web based email service providers, with the idea to make it easier for someone to execute their attacks more efficiently. Outsource the hacking of someone's email, and receive a proof in the form of a screenshot of the inbox, next to a guarantee that you'll be able to get back in even after they've changed their passwords? Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers. The service works in 7 steps :

"1- Submit your case to one of our experts.

2- After successful submission , you will be sent a confirmation email along with your Case Reference Number (CRN) .

3- Our expert(s) will revert back to you in a few minutes with the details, the charges & the turn-around time. You may also be asked to provided additional information through a private form if required by our expert.

4- Once our expert has all the required information, you will be provided a username/password to our client area where you can view the real-time progress of your case.

5- Within a matter of hours (maximum 72 hrs), you can see the results. Our expert will provide you with proof-of-success , which you can verify and confirm.

6- Once you have verified the authenticity of success, you will be sent detailed payment instructions. You will be asked to pay using anyone of our multiple payment methods.

7- Once the payment is realized, we will provide you the requisite information

Who's doing the actual email hacking? Independent contractors on behalf of the service as it looks like :

"Most other groups employ phishing , trojans or viruses which could damage or even alert the target. Our experts use techniques which are developed by themselves , not shared by anyone. We don't ask them how they do it, but as long as they provide us the desired results, its ok for us. Since we test their methods while they are on probation period with us, we check if the target is being alerted or not. As of now, for the past 4 years, we have NOT RECEIVED A SINGLE COMPLAINT IN THIS REGARD, which is testimonial to the ingenuity of the methods used by CSP."

How would they prove that they've managed to hack the email account before requesting the payment?

"1- Multiple screenshots of the mailbox

2- A copy of your own email which you had sent to the target

3- A copy / part of the address-book of the target mailbox.

Ironically, a hypothetical questionarry that I once speculated a private detection would require from someone interested in Outsourcing The Spying on Their Wife, in order to set the foundations for a successful social engineering attack, is being used by the email hacking group.