[nsp-sec] Pwned IMAP accounts searches.

RuthAnne Bevier ruthanne at caltech.edu
Wed Jul 28 12:29:20 EDT 2021 

I'd certainly be interested in anything related to caltech.edu addresses.

On Mon, Jul 26, 2021 at 10:08:28AM -0400, Lawrence Baldwin wrote:
> ----------- nsp-security Confidential --------
> 
> I'm injected into the proxy botnets being used for imap testing.  I'm
> observing btw 1-2m accounts successfully accessed each month.
> 
> Happy to share account info if anyone needs it
> 
> I'll try to generate some reports on the search terms.
> 
> Understand also that accounts are often put under continuous
> surveillance...accessed every few days in order to steal things if value
> like gift codes, etc .
> 
> Lb
> 
> 
> 
> On Sun, Jul 25, 2021, 8:12 PM Scott A. McIntyre <scott at howyagoin.net> wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> > Hi all,
> >
> > If you work somewhere that provides email services, as I do, then you may
> > also have seen a real rise in compromised IMAP accounts during the last
> > year or so.
> >
> > One thing that I have noticed is that there seems to be a somewhat
> > standardised tool being used by the interlopers -- once they gain access to
> > an IMAP account, they will run through the same series of around 225
> > searches, looking for emails of interest.
> >
> > Attached is a list that has a few hundred of these most common search
> > terms that we've seen.
> >
> > This same list, with only a few minor variations, seems to be being used
> > repeatedly, so, clearly there's a kit out there...
> >
> > Thought it might be interesting for those of you trying to keep your email
> > systems relatively intact.
> >
> > I've been using it to quickly identify compromised accounts and speed up
> > remediation activities.
> >
> > Regards,
> >
> > Scott
> >
> > ---
> > Scott A. McIntyre
> > Chief Security Specialist
> > Telstra Cyber Security
> > abuse at telstra.com
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> > counter-measures.
> > _______________________________________________
> >
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
RuthAnne Bevier
Senior Information Security Advisor
California Institute of Technology
626 395 2671

More information about the nsp-security mailing list