It's bad enough when your e-mail account is hacked; it can take time to get back into the account, and when you do, you may discover it's been used to send out all sorts of scurrilous content. But according to Paul Wood, senior analyst at MessageLabs Intelligence, a hidden threat may lurk after an individual's e-mail address has been hacked: He or she may now be vulnerable on a variety of sites that use that address to authenticate identity.
"Your e-mail address is unique to you and is often used by a number of other sites, especially social networking sites, to actually provide your log-in name," Wood said. End users often make their passwords the same on a variety of sites where they authenticate with the same e-mail address, he added.
"Even if you don't share the same password, if I now have the keys to your e-mail account, then I can go to any number of different social networking sites and just try the password reminder, and if you have an account on that site, it will then provide a link via your e-mail, which I now have access to, to change your password on that Web site, and then gain access," he said.
Once a cybercriminal has access to an individual's account on a number of sites, it makes personalized phishing scams easy.
"If you have access to a real account on a social networking site or other sites, as a bad guy, you can then send messages and correspond with other real people, and they will believe that they are talking to [that person]," Wood said. "If you're able to pull that off, you won't raise any suspicion. We've seen examples of that in the past where social networking accounts of real people have been compromised and then used to send out 419-type messages – these advanced fee frauds where they'll send the message to someone on their contact list saying, ‘I'm stuck in a faraway place; can you send me some money to get an airplane ticket back? I've lost all my stuff.'" Such tactics are sometimes successful in defrauding individuals.
The problem extends to instant messaging services as well.
"When you sign up for an account on many of the major [instant messaging] providers now, they often have search engines, Web mail accounts and document and image sharing," Wood said. "Your e-mail address that is often used for your Web mail account also gives you access to the instant messaging network on that provider's cloud as well – whether it's Yahoo, Hotmail or Gmail, any of those major providers. So, if you log into IM, you authenticate with your e-mail address in the same way, and the password will be the same."
A hacked individual's contact list will then be vulnerable to phishing attacks via IM.
For this reason, Wood discourages people from using the same password on more than one site, particularly if a common e-mail address is being used to authenticate. "That makes it easier for the bad guys, and we don't want to do that," he said.