Skip Navigation

Webmail contact lists at risk from brute force password hacking
Friday 25 November 2011 08:55:33 by Andrew Ferguson

PC Pro has reported that Virgin Media customers are reporting spam being sent to all the email addresses in their contact lists on their webmail accounts. Similar issues are being reported by Yahoo and GMail users.

The most likely explaination is that hackers are running dictionary based attacks on various webmail systems, which is a very good way to get around things like SMTP (TCP port 25) restrictions.

While there is a great deal of pressure to re-use passwords as we all have so many of them, alerts like this highlight the importance of keeping passwords unique, and ensuring they are not easy to guess. Attempting to avoid dictionary attacks with subsitution of i for 1 or 0 for o are not going slow down automated attacks at all, as the coder can easily include these substitutions.

If your webmail has been hacked, before altering the password do ensure that your computer is free of viruses and malware. It would also be worth warning contacts by word of mouth or text message to be wary of emails particularly those that include attachments.


Posted by undecidedadrian over 5 years ago
I love the PC Pro Article, Both Virgin and Google have a "not our problem" attitude yet it's their systems that are being attacked and they just don't care.
Posted by MrTAToad2 over 5 years ago
" are not going slow down"

Shouldn't that be "are not going to slow down"
Posted by gmoorc over 5 years ago
Turning on 2 step authentication on gmail would help. I've recently switched this on and it isn't too intrusive once all your devices are configured.
Posted by TWeaKoR over 5 years ago
'nuff said.
Posted by greemble over 5 years ago
Easiest way to stop a dictionary/brute force attack - 3 failed tries the account is & locked for an hour, 3 further failed attempts after that, locked for a day.

Doesn't Gmail do this?
Posted by drteeth over 5 years ago
Denis publishing just loves to send out spam, the lengths they go to to get one's details for their and third party 'marketing'.
Posted by miketuck3r over 5 years ago

This is simply not true especially in the case of google that offers a 2 stage authentication so that even if someone guesses your password they need to enter another verify code sent to the owners phone by sms/= or an android app if the device has not previously been used
Posted by clive4 over 5 years ago
Whilst away from home last week I checked my Virgin webmail and discovered 'I' am sending out spam for fake watches... What to do? No trace in Processes, Add-ons or Programs.
Posted by barsinister over 5 years ago
All my email account address books have 2 odd entries, viz, 'aaaaa' and 'zzzzz'. If I receive a dodgy email that tries to resend itself to my contacts it will fail because there is no address for these entries (a tip I got from Rick Maybury of The Daily Telegraph a few years ago).
Posted by andrew (Favicon staff member) over 5 years ago

First step is run the anti-virus and a malware checker.

The likelihood is that this is spoofed email, i.e. not really sent by you, but where the details are made to look like you did it.
You must be logged in to post comments. Click here to login.