>Microsoft declined to comment specifically on Bill’s research, but said customers can block the overwhelming majority of account takeover efforts by enabling multi-factor authentication.<p>Or, of course, by not reusing passwords everywhere. ISPs can help by turning on some sort of brute force protection on SMTP and IMAP. They can also help by checking for completely obvious passwords (yes, by brute force cracking with a short list). Which brings us to this:<p>>But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”<p>If only there was some way to communicate with a email customer...
Can we talk about who "Bill" (the source for the article) is ?<p>If we read between the lines, it appears that someone sitting at a fairly large Internet choke point is grepping the flow of mail traffic for keywords (for lack of better terms since it's not <i>literally</i> grep).<p>Presumably someone placed highly enough that they can do such analysis without management oversight ?<p>Or are there compliance and security reasons to "grep" IMAP traffic for certain things and he just added some other keywords ?<p>Where, in 2021, would a network admin own this much traffic and have this little oversight ?<p>-----<p>EDIT: ... and now that I think about it, wouldn't this be fairly easy to suss out ? The source states:<p>"So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,"<p>I have neither the time nor the inclination but if there is an ISP out there that is routing 25% of MS mail infrastructure, all I have to do is look at mail routes to MS for a few days and run some traceroutes and I could probably make some guesses as to which network "Bill" works for ...
Ironically, I could see people actually paying for this service by splitting the "gift cards" etc. that are found.<p>Essentially, it's an automated service to find all of the places where programs give you free stuff for little or no work, and then their system just watches your email and does it for you, splitting the final values in some fashion.<p>Despite the extreme security issues around it, I could many people signing up for this.
> They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.<p>What they're doing is terrible, but I felt a bit of respect for how clever this is.
Makes me curious if Gmail tells you when new/suspicious IMAP connections are made. I know they do tell you for normal web logins. Off to disable IMAP where I don't need it...
The thing about this scheme is that it seems to amount to an extremely low tax on the accounts of the average user.<p>The big downside isn't really that people might lose their gift cards but that other horrible things could happen at scale 'cause who knows who the Gift Card Gang are really.<p>And the thing is here that the state, the broader authorities, are the only ones who have some incentive to act now about this. If it affected me, I'd shrug, I have no incentive. And the story everywhere with this is the state has become as short-term-ist as everyone else. And, what problems could possibly arise from that?? (posts and then checks outside for fire, poison gas and deadly disease).
I'm wondering… would the gift card gang also be interested in those "You won a $100 gift card!" emails in my spam folder? :)<p>The idea of the gang and the spammer going on about who should drop their pants first ("Please send us the gift card" – "No you send me your bank account information first") makes me chuckle.
I thought this was going to be about a different scam: Taking over an email account and messaging the contacts to send e-gift cards.<p>This happened to my real estate agent. I got an email from her saying <i>"I really need to get a (Google play gift card) for a friend who is a cancer patient."</i>. That seemed super phishy, so I texted her, and she said her email was taken over.<p>This was a verizon.net account that was migrated to aol. The hacker had reset her email password and created a hotmail account in her name, and was forwarding all incoming mail to the account he controlled. She regained control of the account, but he still had an active session and was still sending out phishing emails. I tried to help her, but I could not find any way to have AOL sign out all active sessions..
> (if the ISP blocks the account) “Those customers are likely going to get super pissed off and call up the ISP mad as hell,” Bill said. “And that customer service person is then going to have to spend a bunch of time explaining how to use the webmail service. As a result, very few ISPs are going to do anything about this.”<p>If someone had copied your door key, and was breaking into your house each week to look for food, then you probably would want the police to change the lock. Or at least let you know you need to.<p>This just strikes me as a regulatory issue - we have to be able to trust our online services. As such, the level of security needs to be upped by fiat. Its not a popular idea but a FIDO key for everyone in US / Europe would be within the bounds of feasible in next 10 years. Hell just SMS 2FA would massively cut back on this.
This is making me wonder about the legitimacy of gift card resell sites like <a href="https://www.raise.com/" rel="nofollow">https://www.raise.com/</a>
Gift card cannot be cashed out, right?<p>I don't follow how this scam can be profitable. Are they reselling the gift card? I did not find mentioning that in the article.
Turns out it is more profitable to just take everyone's inbox cash than to offer them a service to make their own cash visible to them for a % fee
I reclaimed one of these accounts for a customer of mine - literally 15 minutes ago.<p>The first scam email was Hey. Catching up. Follow up email was I'm in a bind tonight. Unexpected bad thing happened. Can you order this gift card and send it to my relative for me?<p>The initial phish was an bogus AOL email saying there's a system change coming up and the customer needs to log in and apply the change to their email account.