top of page
Karen Simmons

Anatomy of Email Compromise

Updated: Dec 3, 2024

At myNetWatchman, we see millions of email account compromises each year. Email account takeover is a dangerous starting point for further attacks such as takeover of other accounts that are using that email address as contact information, highly targeted phishing campaigns, or access to sensitive information to use later for ransom or exploitation. One of the aspects that makes email account takeover especially troublesome is that fraudsters can delete incoming emails, such as those confirming purchases or password changes, as they access other accounts associated with the compromised email. In short, an email account is the key to a consumer’s digital castle. Organizations unable to see signs that a user account’s email address may be compromised are missing out on an extremely valuable high risk signal.


Businesses that use the email address as a point of contact, and especially businesses that use the email address as a method for completing 2FA, need to be aware when a user’s email address has been taken over. This renders 2FA relying on the email address insecure and is also a strong risk signal to consider when a user account attempts to change their password or other account details.


Through our proprietary real-time data observations and analytics, myNetWatchman investigated the case of a Yahoo.com email account that was compromised and accessed by bad actors nearly each day over a 3-month period. During that time, over 4,000 email messages were retrieved from the inbox while the bad actor(s) performed inbox searches of 1,800 keywords. These keyword searches were telling in terms of what the bad actor was attempting to accomplish. This included searches on keywords such as:


Bitcoin, Ethereum and other cryptocurrencies – These searches could unveil what trading platforms or services the email account holder uses to hold digital assets. This could lead to highly targeted phishing campaigns mimicking the platform the consumer utilizes. These same crypto trading platforms could also be targeted with credential stuffing or ATO attacks, in hopes that this compromised email address is a method used for completing two-factor authentication (2FA).


PayPal and common bank names – Knowing what financial institutions and financial services companies a consumer uses enables the bad actor to craft highly targeted phishing attempts. If the bad actor sees emails with one-time passcodes for completing 2FA, the services sending these codes will also be targeted with ATO.


Gift Cards and Virtual Gift Cards – often virtual gift card numbers are provided in plain text emails. Fraudsters can easily check the balances on these gift cards and spend them before the consumer does.


Shipment tracking – Shipment hijacking is a common scheme where fraudsters attempt to reroute or change the delivery address on a shipment. High value or easily resold consumer products are prime targets.


Loyalty programs and rewards points – Loyalty program fraud is a growing issue and something bad actors can pull off with relative ease once they take over a consumer’s account with a rewards point balance. They spend, transfer or claim the reward points balance, draining the customer’s account, resulting in frustration and brand damage.


myNetWatchman’s Email Reputation service allows organizations to identify when a user’s email account has been, or is actively being, accessed by criminals. With Email Reputation an organization can get as much detail as they need for their risk decision or investigation:

  1. aggregated counts of how many different place we see bad actors testing or using the email

  2. names of the sites where it is being tested or used, if it was successful, and the dates the email was first and last seen

  3. we can share with you what the bad actor was searching for in the compromised email account


Knowing if an email is compromised is a valuable signal if an organization sees account changes attempted, especially changing the username, contact email or login password. If an organization relies on email-based 2FA, then this risk signal is vital. Utilizing this as a valuable high risk signal further extends to purchase and transaction events, such as using a stored billing instrument to purchase and ship a product to a never-before-seen address. As email accounts serve as a consumer’s keys to their digital castle, understanding risk around email compromise is paramount for all organizations who leverage access to that email account as a means of verification.

Recent Posts

See All

Kommentare

Mit 0 von 5 Sternen bewertet.
Noch keine Ratings

Rating hinzufügen
bottom of page