top of page
David Montague

Beyond the Inbox: The Far-Reaching Impact of Email Compromise

The email address is the most commonly used data point to validate that someone trying to access a system is the true account holder. When we create user accounts online, the email address is always collected, and it often doubles as our username. If we need to reset our password, if a login attempt is suspicious and the organization wants to notify us, or if a one-time passcode (OTP) is sent to validate it is really us, this is done by email much, if not most, of the time. We put so much trust in the email address, but how do we know that access to the email box hasn’t already been compromised?


Consumer email accounts are high-value targets to bad actors because access to an active mailbox can be a launching point for so many other attacks. The email inbox provides insights into the financial institutions, online merchants and other organizations the victim interacts with online. There are many different attacks bad actors will attempt once they have gained access to an email address.


It often begins with the bad actor curating a list of sites to target with credential stuffing attacks. They will search the inbox for order confirmations or any email that shows a customer relationship. Knowing that people commonly reuse passwords, the miscreant will try the same credential pair that allowed access into the email account at many other sites and services. If a username, rather than an email address, is used at login on other sites, then this username might be contained within an old email sitting in the inbox.


If the email Account Takeover (ATO) victim uses a unique password for their email account, the bad actor’s tactics may shift from credential stuffing to targeting the victim’s other accounts through password reset process flows, which are primarily completed via links sent to the account email. It is also common for bad actors to change the contact email address on file so it is more difficult for the consumer to recover their account. As the bad actor makes these account changes to gain access, they cover their tracks along the way by deleting the password reset and account change confirmation emails that arrive in the victim’s inbox.


myNetWatchman’s Email Reputation service allows you to see which email accounts are compromised. It gives companies the means to know not only if an email is compromised, but also how recently the bad actor was using the mailbox and what they were trying to gain. For example, in the last 30 days

Bad actors using a compromised mailbox looked for…

Because…

Buy Now Pay Later (BNPL) services (such as Klarna, Affirm, etc.)

They could take over the accounts and make unauthorized purchases

Order confirmations, promotions, coupons

They can find who the victim does business with to target them for more fraud

“loyalty program,” “rewards” and “points”

They can transfer or redeem the rewards or points

crypto trading platforms like “blockchain,” “bitcoin,” and “onekey” (an open source crypto wallet)

Crypto wallets and platforms are very high-value ATO targets, and they want to ultimately drain the balance

website design and hosting services like SquareSpace, Wix, etc.

These are good targets for ransom attacks where a bad actor takes control of a website and takes it down, threatening to delete it forever unless a ransom is paid

password managers like LastPass, NordPass, etc.

Those are the miscreant’s treasure chest of all the victim’s accounts

Clearly, there is a lot of damage that can be done once a consumer’s email address has been taken over. While this is of course damaging to the victim consumer, it is also a major concern for any organization using this compromised email address as contact information.


If an email address is actively compromised, it is no longer a valid means of performing two factor authentication (2FA) and cannot be used to complete password reset process flows. Further, organizations cannot rely on confirmation emails to say that an account has been accessed, a password was changed, or a purchase was made and trust that the true account holder will see this notification. The bad actor who has taken over the email account is waiting for it, and will swiftly remove it from the inbox.


Knowing that an email account is actively compromised greatly changes the risk profile and renders useless some of the most common methods of confirming or authenticating login access and account changes. These are valuable insights that myNetWatchman provides to clients via our Email Reputation service.


Any organization that relies on the email address for 2FA, for password reset flows, or just to notify and confirm that a purchase, login or account change was legitimate, will benefit from knowing if an email address is or might be compromised. Those who offer loyalty programs, maintain stored billing instruments, protect sensitive consumer information, allow purchases on credit or maintain any type of account balance that can be spent or transferred have an elevated ATO risk exposure and will be targeted. It is only a matter of time before ATO of an email account leads to ATO attempts against the many organizations with which this consumer does business or interacts with online.

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page