In a novel twist on “What happens to our accounts when we die,” we have “what happens to our abandoned accounts while we're still alive”. In this case, UK ISP TalkTalk kept an old customer’s email account alive some eight years after she closed it—which left it wide open for takeover by spammers.
If you've cancelled an account and wondered which bits of your digital data continue to live on, this story is for you.
I’ve talked in the past about how when loved ones die, their emails, social network accounts, and more keep on keeping on. Of course, this content is a prime target for cybercriminals, who can pilfer contacts and other data from long-dormant accounts.
There are typically three ways of "rezzing" a dormant account, aka bringing it back. They are:
Accidental: This is where a previously dormant account comes back to life, but with no malicious intent behind it. For example, critic Roger Ebert’s wife accidentally started sending public messages instead of direct messages via his inactive Twitter feed.
Targeted: This is when trolls or other ne’er-do-wells specifically target an account to cause distress or just get a cheap laugh. A victim of the 2012 Aurora, Colorado, cinema shooting randomly tweeted “I’m alive” some years after the event. This was, of course, enormously distressing for everyone involved.
Non targeted: This is a deliberate hack, but it isn’t specifically about the victim. Rather, the account is just there to serve as a sock puppet/fake account to sell a scam or push a bogus product. It's quite common on social media, and for the scammer, it's "just business."
While we often see accounts belonging to the dead compromised and dragged into all manner of dubious online activities, this situation is a little different. The outcome is the same—an account, long dormant, is harvested and brought back into action, zombie-style. However, in this case, the former account owner is still alive. It's a "non targeted" if we're going by the examples above, but, in contrast to those examples, it's causing considerable headaches for the account owner.
Companies usually keep multiple pieces of data on former customers for a period after account cancellation—web browsing history, payment methods, or old addresses, for example. But to keep an email dormant while attached to someone’s identity—and for eight full years—is a bad idea, because at some point it’s probably going to be compromised.
The compromise doesn’t even have to be a database breach. It could be something as simple as the person having drastically improved their security practices over the years, yet old accounts are forever tied to something like “password123”.
In this case, the account was indeed hijacked somehow. (The Register article doesn’t go into detail on this, and frankly it’d be a minor miracle if the affected person had any idea what happened some eight years on).
Friends of the account owner became aware something was up when the account started sending them emails with suspicious links to .pdf and .img files. The scammers reused previous subject lines to make it all look a touch more above board. This is similar to how mail menaces will use “RE:…” in their subject titles to make the email look as though it’s part of an actual discussion.
The former owner couldn’t get the account shut down due to a multi-tiered portal setup. It’s not uncommon for ISPs to have multiple login sections, some of which cater to generic items and others to specific account features, or packages, or and anything else you care to think of. This is especially common when an organisation offers television, phone, Internet, and other services.
While this wouldn’t ordinarily be a problem, in order to shut down the compromised account, the former owner needed access to a specific portal that required her to be a current customer. As she's not, TalkTalk requested two forms of identification to prove her identity. Given previous stories on TalkTalk's data breaches, she may be reluctant to hand it over.
Nobody is quite sure. Even if the ex-customer weren’t asking for it to be shut down, one would imagine TalkTalk would see it being used for spam and disable it. That has to break a ToS somewhere alone the line.
Most ISPs issue an ISP-branded email regardless of whether you want one or not. With that in mind, it’s worth logging into whatever portal you have available and having a look around. If an email address exists for your ISP, and you’ve never used it, it could be a problem for you down the line—or even right now. The account email may reuse your main login password, or have something incredibly basic assigned as the default password, which could easily be cracked.
You don’t want to walk into a zombie email scenario like the one outlined above. Review any dormant accounts you might have attached to things like cloud services, mobile or IoT devices, or ISPs and shut them down if you can. If you can't, you can at least pop in there and add a difficult password unlikely to be broken through brute force. And if you want to go the extra mile, contact the companies attached to the email addresses and find out what their policies are for shutting down email accounts after customers leave.
As for suspicious emails: Should you receive something from an email address you haven't seen in a long time, be careful. If you have another way to contact the person supposedly sending the missive, do so. Otherwise, keep these tips in mind before you open any attachments or click any links. It’s just not worth letting curiosity getting the better of you—or your PC.
The post Zombie email rises from grave after eight years of radio silence appeared first on Malwarebytes Labs.