I think it is even worse than they suggest. Suppose you compromise a username and password combination anywhere on the Internet, or offline compromise the dump you got from some random forum. This gives you a list of username => password entries.
You then farm that out to your favorite botnet and begin hitting low security consumer sites, like Facebook, Twitter, what have you. You should be able to recover email addresses in a totally automated fashion doing this. You can then probably remote compromise those email accounts instantly, using the exact same password.
Then, again in a totally automated fashion, you search their mail archives for the signatures of mails from your list of 50 high-value target sites: banks, brokerages, domain name registrars, WoW (don't laugh -- best dollar to security tradeoff of any of the above, since an account compromise can be worth $2k+, it is trivially cashable remotely, and it poses no risk of criminal prosecution), etc. You then use their recover password functionality, probably totally automated.
Then you just check your botnet for the new credentials for high-value sites, and start cashing.
I finally broke down recently and made a compendium of all my username/passwords combinations in an encrypted file. It was eye opening when I finally saw how many passwords I actually use and (mostly) remember. The repetition frequency was higher than I would like, but I'm careful to never use the same password for a site account and the associated email address(es). Unfortunately, I can't say the same for my relatives and friends...
3 comments
[ 3.4 ms ] story [ 17.2 ms ] threadYou then farm that out to your favorite botnet and begin hitting low security consumer sites, like Facebook, Twitter, what have you. You should be able to recover email addresses in a totally automated fashion doing this. You can then probably remote compromise those email accounts instantly, using the exact same password.
Then, again in a totally automated fashion, you search their mail archives for the signatures of mails from your list of 50 high-value target sites: banks, brokerages, domain name registrars, WoW (don't laugh -- best dollar to security tradeoff of any of the above, since an account compromise can be worth $2k+, it is trivially cashable remotely, and it poses no risk of criminal prosecution), etc. You then use their recover password functionality, probably totally automated.
Then you just check your botnet for the new credentials for high-value sites, and start cashing.
I finally broke down recently and made a compendium of all my username/passwords combinations in an encrypted file. It was eye opening when I finally saw how many passwords I actually use and (mostly) remember. The repetition frequency was higher than I would like, but I'm careful to never use the same password for a site account and the associated email address(es). Unfortunately, I can't say the same for my relatives and friends...