Ransom Scam Moves To Webmail; Highlights Risk Of Giving Others Your Data

from the your-money...-or-an-empty-inbox dept

Wed, Dec 13th 2006 7:21pm — Mike Masnick

Stories of malicious hackers attacking people with ransomware are pretty common. Basically, they get you to download an app that gives them control of your hard drive and they either lock up your content or threaten to delete it unless you pay. However, it seems that the latest round of attacks is even easier. Rather than getting access to your computer, they're just getting access to your webmail, deleting all of the messages other than the one demanding ransom, and waiting for you to login. Considering just how much some people rely on email, and their willingness to trust all that email to a single webmail hosted solution, this could present a pretty serious problem for many people. What's particularly interesting here is that one of the benefits discussed when it comes to webmail or other web-hosted apps is the fact that the content is available from anyone on any machine. However, that same accessibility can work against it as well, because others can more easily access it as well. And, even though it's accessible anywhere at any time, it may mean that users are even less likely to back it up and have alternate sources to get or use their email system. While some are already working on such solutions, it seems like it's only going to become more valuable to have ways to backup and secure the data that you've trusted to various online service providers so that if their security (or business!) fails, you still have access to your data.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

12 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Baal, 13 Dec 2006 @ 8:23pm

Be a smart user
Here's an idea for those who rely on web based aps like email. Change your password often and use complex passwords with upper, lower cased letters with numbers and symbols if the site allows it. Doing this on a frequent basis will keep it some what secure, provided you don't give your information away to people phiishing for it.
[ link to this | view in thread ]
STJ, 13 Dec 2006 @ 8:31pm

I've had my hotmail account for 10 years now, never been hacked, had my yahoo mail account for 6 years, never been hacked. I think I own some of the longest running webmail based accounts, shouldn't I have been hacked at least once by now?
[ link to this | view in thread ]
Pat, 13 Dec 2006 @ 8:48pm

not worth hacking
Good for you! Being so proud of your web mail accounts - sounds like you're not interesting enough to bother hacking.
[ link to this | view in thread ]
Paul, 13 Dec 2006 @ 9:25pm

Wha?
Ok, lets say a hacker takes over my gmail account and starts deleting all my emails except for the one demanding ransom. Wouldn't the logical response be to immediately change my password to prevent further unauthorized usage?
If the ransom is to get back the deleted emails, well if they were important you should have had backups somewhere. If the data in your emails is sensitive and the unauthorized user is threatening to use the information somehow then the damage is already done and shame on you for using webmail for sensitive documents.
[ link to this | view in thread ]
misanthropic humanist, 14 Dec 2006 @ 12:26am

can't see how this works
This doesn't add up. There are no webmail servers I know of that allow the option to encrypt existing, received mail in situ.
To do such a thing you would have to have a properly privilaged shell account on the machine in question. At which point you would have
the option to hold everyone on the server to ransom.

The only methods available to someone who "hacked" your account by obtaining the password is possibly to irrevocably delete the mails, which isn't much of a plan to hold a ransom is it? In other words, it has nothing to do with protecting your passwords and everything to do with the security at the system level which is out of your control.

Nobody who has done this would ever risk "returning to the scene of the crime" to fix the problem (remember, the notion that they would give you a password to restore your data is bogus since that capabiliy does not exist), ergo - you are never going to get your data back anyway and it would be foolish to pay the ransom with that belief.
[ link to this | view in thread ]
Makes NO sense..., 14 Dec 2006 @ 12:43am

I agree with misanthropic humanist on this one -- This seems like a pretty pathetic little "hack". Nothing different from any other hack that just goes in and destroys stuff. Whoopie, some old e-mails got deleted. ANYtime you're doing something on the internet, there's the chance of "hackers" getting into your data.
[ link to this | view in thread ]
The infamous Joe, 14 Dec 2006 @ 4:09am

Speaking of hackers...
...I blame Angelina Jolie.

This is even MORE pathetic than hacking myspace.

But not quite as pathetic as asking people to check out your mysapce page to hack it. That's really sad. :-P
[ link to this | view in thread ]
Wizard Prang, 14 Dec 2006 @ 6:00am

Re: Be a smart user
Also... do NOT use the same password for everything!

One idea is to use one for low-security sites such as forums, another for medium-security sites such as retailers where no financial info is available, and a high-security password for banks and credit cards.

That way an unscrupulous form operator can't get into your bank account.
[ link to this | view in thread ]
Anonymous Coward, 14 Dec 2006 @ 9:03am

Re:
Apparently you're not as interesting as you would like to believe.
[ link to this | view in thread ]
Anonymous Coward, 14 Dec 2006 @ 9:04am

Re: I Challenge You!
L-A-M-E. Spam somewhere else.
[ link to this | view in thread ]
Sergey Brin, 14 Dec 2006 @ 12:16pm

Re: I Challenge You!
Done.

The bill for 3 month's worth of hosting google.com is in the mail. Thanks for the great offer!
[ link to this | view in thread ]
Fresh, 10 Mar 2007 @ 1:55pm

Hackers
How do I get a hold of a good hacker ?
gonefresh@hotmail.com
[ link to this | view in thread ]