An Anonymous Hacker hacker calling himself CyberZeist, today released over 280 FBI related email addressed and passwords, apparently hacked via a spear phishing attack.
CyberZeist, previously a member of the hacking group UGNazis states that this release is a small portion of a much larger release.
Spear Phising relies on the weakest link in IT security, humans. It starts by getting a single email address and sending a targeted email designed to get the user to respond. In this case it looks like a targeted user responded to an email request to reset their password, providing details to the hacker.
Once the hacker is able to compromise a single email address they can then use that email account to login and send other targeted emails to other internal users. Who wouldn’t click a link that you received from a “trusted” source. Not only that, as the hacker has access to a valid user account it is likely he now has access to all of the address book, which would typically include contact details of users including, full names, email addresses, phone numbers and job titles.
All of a sudden a single user clicking on a single targeted email has opened up your entire organisation to a breach.
What I find interesting about the published compromised accounts was how poor the passwords were, some samples below, full email addresses obscured. There were also a significant number that had password that included part of their first or last name.
These users all had passwords in the typical hacking dictionary attack, only because they are in the Top 1000 Passwords ever used:
joseph.m******n@**.fbi.gov – passwords123
tammy.m*****@**.fbi.gov – passwords123456
sidney.m******@navy.mil – password123
thane.c*****@verizon.net – 12345678987654321
ronald.m*****@**.fbi.gov – password111111
jason.p*****@**.fbi.gov – pass911pass911
joseph.f*****@**.fbi.gov – pass1234567890
Jesse.R*****@**.fbi.gov – $$$$$$$$$$$$$
y*******.cv@**.fbi.gov – password404
Tumb*****@**.fbi.gov – passowrds1234567
s*****.me****@**.fbi.gov – qwerty98765
an*****@**.fbi.gov – passwords121212121
joseph.h*****@**.af.mil – 128482joshqwerty
j*****.*.d******e@uscg.mil – qwerty9876
matthew.k******@navy.mil – matt123456
darrell.f******@**.fbi.gov – qwert123password
laura.e******@**.fbi.gov – passwored12
Lourdes.a*******@**.fbi.gov – password$qwerty
Joline.c******@**.fbi.gov – qwertylol@me
Mu****er.***@**.fbi.gov – letmein16011990
If the FBI can’t aviod common passwords what chances does the average user have?