[nsp-sec] Pwned IMAP accounts searches.

Mon Jul 26 10:08:28 EDT 2021

I'm injected into the proxy botnets being used for imap testing.  I'm
observing btw 1-2m accounts successfully accessed each month.

Happy to share account info if anyone needs it

I'll try to generate some reports on the search terms.

Understand also that accounts are often put under continuous
surveillance...accessed every few days in order to steal things if value
like gift codes, etc .

Lb

On Sun, Jul 25, 2021, 8:12 PM Scott A. McIntyre <scott at howyagoin.net> wrote:

> ----------- nsp-security Confidential --------
>
> Hi all,
>
> If you work somewhere that provides email services, as I do, then you may
> also have seen a real rise in compromised IMAP accounts during the last
> year or so.
>
> One thing that I have noticed is that there seems to be a somewhat
> standardised tool being used by the interlopers -- once they gain access to
> an IMAP account, they will run through the same series of around 225
> searches, looking for emails of interest.
>
> Attached is a list that has a few hundred of these most common search
> terms that we've seen.
>
> This same list, with only a few minor variations, seems to be being used
> repeatedly, so, clearly there's a kit out there...
>
> Thought it might be interesting for those of you trying to keep your email
> systems relatively intact.
>
> I've been using it to quickly identify compromised accounts and speed up
> remediation activities.
>
> Regards,
>
> Scott
>
> ---
> Scott A. McIntyre
> Chief Security Specialist
> Telstra Cyber Security
> abuse at telstra.com
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>