Did you know that an overwhelming majority of the email going around the interwebs each day is spam?
You may ask yourself, “Why do people spam?” The short answer is, it’s lucrative.
While most of us know to never click on messages that look spammy, there are still a handful of innocent users that fall victim; and unfortunately, that is all it takes to make it worthwhile for the spammer. The number of spam messages that make it through to our mailboxes each day is severely outnumbered by the number of messages that get blocked at the gateway, however. This is because anti-spam solutions have advanced over the years and are continuously improved.
For this reason, Mailgun and other email service providers have become targets for bad actors looking to exploit reputable email servers to get their messages delivered. We’ve seen a lot of these attempted and sometimes successful exploits over the years and have learned valuable lessons from the tactics used. But what good is keeping this information to ourselves when it can be used to help others? We wanted to share what we’ve seen in the hopes that others out there that provide similar services to customers can be better prepared and better protected should they too become targets.
So, how exactly do bad actors attempt to exploit Mailgun accounts? There are quite a few ways, but for this post, we’re going to focus on three. More often than not, the perpetrator’s attempts come in the form of credential stuffing, targeted attacks with public information, and namespace traversal. We’ll talk about each of these below along with what you can do to protect yourself and what we are doing to counteract the attacks.
I’m not gonna lie; I had a bad habit of reusing passwords for all of the various websites I signed up for. Most of us do because it’s easier to remember passwords that way. Who wants to remember a bazillion different passwords anyway? Well, that’s the mentality spammers hope you have. We’ve all read about massive data breaches where users personal information may have been stolen. Included in that information is almost always passwords and/or email addresses. If you’ve been pwned, you can find out here. Once they have that information, you can rest assured that the data will be accessible by many different malicious users hell-bent on exploiting it.
The problem is that not only will they attempt to use that information to gain access into accounts on the service that was breached, they’ll also use those credentials to attempt logins on other services like Mailgun. We’ve seen nefarious activity just like this where dormant accounts that haven’t been used in ages all of a sudden come back to life with a login from an IP never seen before. This is the spammers successfully exploiting reused passwords. You may have even received emails from companies in that past that were breached where they request you to not only change your password for their service, but also for other places; this is why!
Well, don’t reuse your passwords for one thing and please consider using a password manager. Here at Mailgun, we help to protect accounts by using haveibeenpwned.com and their database of over 500 million passwords previously exposed in data breaches. If our customers happen to be using a password found in that database, we will notify the user on login (see screenshot) and suggest they reset their password to a stronger one. We’ll also take this as an opportunity for them to protect their account further by enabling two-factor authentication because you can never be too safe.
Hypothetically, say you were a spammer, and you wanted to find a list of companies that use Mailgun to send email so you could attempt to exploit their account. To you and me it may sound daunting, but not to spammers. They could, of course, sign up for a bunch of websites and review email headers to see where the message came from and then build a list.
That would take too long and as Sweet Brown would say, “ain’t nobody got time for that.” The quicker way, and what we’ve seen these bad actors do, is to use DNS to pull lists of domains.
But what can they do with a list of domains using Mailgun? If I know spammers and I feel like I do, they would want to phish those domains. I know I know, you can’t phish domains…you need email addresses to do that. This is where web crawlers come into play. With that list of domains, you can deploy a web crawler and scrape email addresses found on those domain’s websites and voila, you now have email addresses associated to the domain.
These scraped email addresses aren’t necessarily linked to Mailgun accounts though. Chances are you have numerous email address on your website like contact@ and support@ that aren’t used for login purposes. That doesn’t mean the spammer won’t try. Just like we discussed in the intro, it only takes getting lucky a few times to make all the work worthwhile. We’ve even seen this type of behavior on some of our personal Mailgun accounts where addresses only found on our websites have been phished.
Your best bet for protecting yourself from these sorts of attacks is again, two-factor authentication! It doesn’t completely protect you but it does make it harder on the attacker. You can also protect yourself by being super vigilant of the messages you receive and learning how to spot phishing attempts. If you need a refresher, we’ve covered some tips on spotting phish in this post so feel free to take a look.
What happens though if you do fall for one of these phishing attempts and inadvertently handed your account over to this guy? Not all is lost, we’ve built a service that monitors logins and looks for things that don’t look right. Things like location along with a whole host of other things are checked. If we do see something that matches these checks, we will challenge the login by requiring the person logging in to verify a passcode that is sent to the email address on file. Only if the verification is passed, will the user be able to log in.
You’d think credential stuffing and crawler phishing would be enough to keep these guys busy enough; and unfortunately, it’s not. The last attack vector that we’ll discuss is Namespace Traversal. With this sort of attack the bad guys basically “traverse” through usernames to find accounts that exist on a platform. They do this by abusing login and/or sign-up pages. It goes like this…find an account signup page, enter in a username and/or email and if it lets you use it, it’s not an account, but if you get an error back saying the account already exists, bingo.
Of course, doing this manual and one by one would not be worth it, but build a script that iterates through a list of email address and you can find accounts pretty quickly. Once they know an account exists, they can then attempt to phish that email address or brute force their way into an account. We’ve seen signs of malicious users attempting logins by using commonly used passwords on a large number of accounts. So if your password is one of these, please change it.
Rate limiting FTW! We only allow so many attempts from an IP per a given time frame before we start rate-limiting and/or rejecting requests. Honestly, this is just a consequence of email address based login systems; which is why we have rate-limiting on several endpoints via NGINX. The beauty of NGINX is that it allows you to enforce custom rate-limits on specific endpoints, so if you have a signup form that is prone to abuse like in our example, you can rate-limit only that form.
Another great thing about NGINX is that it gives you flexibility. If you need to whitelist or blacklist specific IPs you can do that all with the added benefit of protecting you from brute-force password guessing and DDoS attacks. If you don’t already have something like this in place or if you just want to learn more about rate-limiting with NGINX, take a look at this article posted by the NGINX team.
Surprise! I know I said we were only going to cover 3 attack vectors but I lied, sorry not sorry… I didn’t feel like I could do a post around account takeovers without at least discussing the most annoying one of them all, credential leaking. Would you believe me if I told you that sometimes secret credentials are just posted out in the open for everyone to see, what’s so secret about that? Well if you don’t, I’m sorry to break it to you but every day we see Mailgun passwords exposed on Github public repositories just waiting to be snagged. Luckily for our customers, we built a service that monitors for these exposed credentials, and if found, we take action immediately by disabling the account and notifying the account owner.
In the past, we’ve seen exposed credentials get picked up and used within minutes of them being indexed on Github so please, whatever you do, don’t put any sort of credentials in public repos because they will be found by the wrong people.
And there you have it, spammers will be spammers so be careful out there! You may be asking “Nick, why share this information, the spammers will read this and change their tactics!” Maybe, but probably not and if they do, we’ll be watching.
Last updated on September 23, 2019