This page has been robot translated, sorry for typos if any. Original content here.

How soap can be stolen from you, or a saga about human stupidity.

There is no limit to human stupidity
Non limitus homius dibilus

Then the conversation went into the forum, about hacking e-mail, everyone wants to save each other, learn passwords, such as jokes .. So I decided to write an article on this topic .. Or rather, to systematize existing ones. Now they are in the internet in bulk, all the same. Let’s think I’ll put everything together ... And the questions about “breaking someone else’s soap” will decrease ...

So, the first method.
The most common way. Based on the following. We are all people, right? We all have the same weaknesses, weaknesses, we all make purely human errors. This is the basis of the science of glorious social engineering. So, in short. A hacker can write a letter to the victim with the following content: “The mail @ mail.ru service is cleaning accounts. If you do not want your account to be deleted, reply to this letter by specifying your username and password in the Subject field in the following format: username ; password " . You ask why the topic is in the field? I answer. Of course, this is not at all necessary. It’s just that the victim will think that the robot will receive the letter for automatic processing, and the robot will have more confidence. Instead of cleaning your accounts, you can think of something else: they say that viruses / spam are being sent from your mailbox, send a password, otherwise your account will be deleted ... In short, you can think of a damn thing .. Um, I almost forgot! The letter can be written from a plausible soap, such as admin@mail.ru, support@mail.ru, webmaster@mail.ru ... Also, the hacker can use some kind of anonymizer or send a letter to the telnet client, indicating in the header "address reply "(reply-to) your soap. Thus, in the “from” field, the victim sees, for example, admin@mail.ru, but when answering a letter, the answer will go to the specified e-mail.

2nd method.
An attacker can register a thread somewhere, for example, on a page with the heading like "Breaking someone else's soap" and send a link to the victim allegedly to a hacker page ... On the page itself there may be text like
"On mail.ru there are several MILLION users. There is a percentage that has a weak memory and dumb brains to remember their password and often these peppers face the problem of forgetting the password. So, even a small percentage of more than a million crowd of soap holders is also a kind of crowd , which requires its own passwords. There are all kinds of ala "Forgot password" systems in which you are asked the answer to a secret question, the data that you entered during registration, etc. But the most interesting thing is that this is not a person, but a car, etc. e. ordinary I am a programina !!!! And if there is a program - there is a hole in it. Now we proceed to the description of specific actions.
Everything is simple here. A mail robot is sitting at pass_repair@mail.ru, which analyzes password recovery requests and, depending on this, either refines your data or sends a password immediately. The site has a form for filling with all kinds of parameters, which is then sent to the robot with a special Subject. The trick is that if you push not one, but two requests into the subject, then the last box will be checked, and the information will be sent for the second! So we move our brains ... That's right! We send two requests: in one we inform the old about the victim's box, in the second we know about our own (we all know about our own;))

So, we want to break off vasya_pupkin@mail.ru
Our mailbox hacker@mail.ru password qwerty
We write a letter to the robot at pass_repair@mail.ru
Subject: login = vasya_pupkin & pass = & answer =; login = hacker & pass = qwerty & answer =

Those. the first time we insert the request for the victim box into the subject of the letter - vasya_pupkin@mail.ru: login = vasya_pupkin & pass = & answer =
And then, through the semicolon, the second request, with your data, which the robot will check and make sure that they are correct!
login = hacker & pass = qwerty & answer =
Total: the message subject looks like this:
login = vasya_pupkin & pass = & answer =; login = hacker & pass = qwerty & answer =
All, wait for the pass to your soap !!! "

Noticed a catch? well done! for the "non-entrants" I’ll explain ... it is enough for the hacker to create his own mailbox on a mail server with the name like pass_repair@mail.ru. Now passwords in a flock of flies to him on the soap! Got it? Well, then the main thing for him is not to yawn .. just quickly change the secret password / response, forwarding address (and ~ 99%, what’s the same pass there!)

3rd method.
Most people cannot keep a bunch of passwords in their heads, so they often use the same ones. Huh, have thoughts? I hope so, but for the rest I explain. A hacker writes a letter to the victim with an offer to join a society, club, or participate in a lottery. In the letter he asks to indicate a nickname for joining the ranks, chat crackers, for example;) and a password to confirm his identity. If the victim is stupid enough, and the cracker knows enough about her / his interests and can guess where he wants to enter, then the probability that the answer to the letter will be ~ 90%. The probability that it will coincide with the pass from the box is ~ 50-70%. The odds are pretty good.
Well, the basics of the social method. I kind of told you about engineering. Think! .. We are all potential victims! We are going further.

4th Method. Brute force method.
From the name, everything is clear and understandable.
Firstly, a hacker can try to sort out the passes manually, standard ones. Like qwerty, pass, gfhjklm, 123, etc. The method is pretty dumb and the chances of luck endlessly stubble to zero. Would you do that? That’s right, and the hacker wouldn’t do it either! .. An cracker can use a program to search passwords, for example, a brutus. After tuning, it just starts it and goes to bed;) But if the user did not drive the standard pass, it will take a lot of time! And on dialup it’s better not to try ...;)
Further.

Method 5 Receive a pass through the forgotten password recovery service.
Do you know about the existence of such things? Made for sclerotics, but used .. you understand. ;)
An attacker learns about the victim as much as possible. Through ICQ (in infa), if you have time, and most importantly desire (even if the victim is male), you can correspond with him under a woman’s nickname ... In a word, ways doh ... uh ... a lot shorter! ;) After he goes to the recovery page, drives in all the received information and waits, waits, waits ...;) This method is most suitable for mail.ru, they there really take care of all sorts of senility who are unable to keep a pass in their head ! ..

6th method. Not hacking as getting a pass, but hacking as gaining access to a mailbox.
Long and steaming. But more or less effective.
So, after choosing a victim, the hacker starts sending spam emails on his behalf. If someone complains about it, there is a possibility that his account will be deleted. But perhaps the hacker will not want to wait for someone to file a complaint. In this case, he can take any anonymizer or a list of proxies and start sending admin complaints from various people. Well, like, this bad man spammed my mailbox / sends porn / calls for violence, etc. In the end the box banged. And the main thing for him is not to miss this moment. As soon as they are deleted, the cracker registers under the username of the victim. All mail will be referenced there, but it will not be read by the owner, but by the hacker ...;)

A couple more ways:
1. The victim can be beaten backdoor. After that, she was completely in the hands of a hacker, greedy for someone else's property.
2. A hacker can write a letter to which the victim cannot fail to respond. Mats there are some kind of thread .. And when he gets the answer, he looks in the heading un, checks for balls. If there is, then it is tying files in which the mailer stores passwords, if the victim checks through the browser, he is tying the necessary cookies.

Among other things, you can break the box (like the provider or the site) knowing the holes well - through which you can steal passwords or something else. To do this, the hacker must try to crawl there where necessary. This, of course, is difficult, so social engineering (struggle) is a very great way! Recommendation of the best sob @ kovodov ..

We draw conclusions, gentlemen ...
Do not communicate with dubious fans on ICQ! ;)
Before answering a dubious letter, look in the heading to see if the address vasya@pupkin.ru is indicated in the "Reply-To" field, instead of president@whitehouse.gov, from which you allegedly received a letter.
How to view the title? Everything is very simple ... If you read mail directly on the server, from a browser, for example @ mail.ru, then all you need to do is click on the "header" link. This will load a page similar to the one in which you usually read the mail, but instead of the letter its header will be indicated. In the mail client "The Bat!", To read the header you need to press a key combination + + . In Outlook, this can be done by selecting the letter in the folder and selecting Properties-Details from the right-click menu. I have never used it myself, and I don’t advise you, there are a lot of holes, and inferior to many clients in terms of capabilities and twists.
Another tip: do not use the same passwords everywhere. The best password is a password such as dg # Kn $ or Y # $ hGJ. Such that it could not be picked up by banal busting. To generate random passwords, I can recommend the Password Generator program. Everything is extremely simple there. Choose the length of the password, the characters you want to use in it, the randomness factor of the characters (the larger the more real the word, for example gerosvaxa instead of mpwkmscxv), press the "Generate" pimp and select any one you like from the list! And for those who have a tight memory, I’ll advise you to write down the passwords not on your computer, but to start a notebook so that no one will junk them.

What does the title consist of?
Consider this example:
Received: from mail.bieberdorf.edu (mail.bieberdorf.edu [124.211.3.78]) by mailhost.immense-isp.com (8.8.5 / 8.7.2) with ESMTP id LAA20869 for; Tue, 18 Mar 1997 14:39:24 -0800 (PST)
Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)
From: rth@bieberdorf.edu (RT Hood)
To: tmh@immense-isp.com
Date: Tue, Mar 18 1997 14:36:14 PST
Message-Id:
X-Mailer: Loris v2.32
Subject: Lunch today?

We will conduct a line-by-line analysis of these headings and find out what exactly each of them means:

Received: from mail.bieberdorf.edu
This email was received from a computer called mail.bieberdorf.edu ...

(mail.bieberdorf.edu [124.211.3.78])
... and which is really called mail.bieberdorf.edu (i.e., it identified itself correctly) and its IP address is 124.211.3.78.

by mailhost.immense-isp.com (8.8.5 / 8.7.2)
The computer received the message mailhost.immense-isp.com; sendmail version 8.8.5 / 8.7.2 program worked on it (if you do not know what these numbers mean - do not pay attention to them).

with ESMTP id LAA20869
The receiving computer assigned the message identification number LAA20869. (This information will be used only on this computer if its administrator needs to find this message in the protocols; for everyone else, it usually does not matter.)

for ;
The message is addressed to tmh@immense-isp.com. Note that this heading is not associated with the "To:" line.

Tue, 18 Mar 1997 14:39:24 -0800 (PST)
The letter was delivered on Tuesday, March 18, 1997 at 14:39:24 Pacific Standard Time (PST), which is 8 hours behind the Greenwich Time Zone, where the "-0800" came from.

Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)
This line indicates the transfer of a letter from alpha.bieberdorf.edu (computer rth) to mail.bieberdorf.edu; this transmission occurred at 14:36:17 Pacific Standard Time. The sending machine was named alpha.bieberdorf.edu, its real name is also alpha.bieberdorf.edu, and its IP address is 124.211.3.11. The sendmail program version 8.8.5 is running on the Bieberdorf mail server and it assigned the identification number 004A21 to the letter for its internal needs.

From: rth@bieberdorf.edu (RT Hood)
The letter was sent from rth@bieberdorf.edu, who gave his real name: RT Hood.

To: tmh@immense-isp.com
The letter was addressed to tmh@immense-isp.com.

Date: Tue, Mar 18 1997 14:36:14 PST
The message was created on Tuesday, March 18, 1997 at 14:36:14 Pacific Standard Time.

Message-Id:
The message has been assigned this identification number (by mail.bieberdorf.edu machine). This number is different from the SMTP and ESMTP ID numbers in the “Received:” headers because it is assigned to the message “for life”, while the remaining numbers are associated with a specific message transfer operation on a specific machine, so these numbers do not have no point for the rest of the cars. Sometimes (as in this example) the Message-Id number contains the address of the sender, but more often it does not carry any visible meaning.

X-Mailer: Loris v2.32
The message was sent by Loris version 2.32.

Subject: Lunch today?
It speaks for itself.