Can anyone answer this!

[ihill]

If you try to log into Hotmail, Yahoo etc and get it wrong a certain number of times you get locked out. So how does a hacker using a scanner to do a dictionary attack on passwords get into an online email account?

[deepsand]

On those systems where such lockouts remain in place until such time as the credentials are reset, dictionary attacks fail.

[ihill]

Thanks for your reply. It seems odd then that Hotmail is one of the ones where accounts are being hacked and spam sent out to all in the address book. I think most people do not collect their hotmail on their own computers but do it online. I know from seeing it that Hotmail make it extremely difficult to get back in when you are locked out! So how are these accounts hacked?

[deepsand]

The same happens on Yahoo as well; in fact, it just happened there to a friend of mine early this morning.

E-mail systems can be compromised by either directly attacking the servers themselves, or by obtaining user credentials, which are generally acquired by either compromising a user machine or by intercepting user communications, of which wireless connections are particularly vulnerable.

[ihill]

So when do dictionary attacks take place? I thought most online email systems had a lock out policy after a few failed logins?

[deepsand]

So when do dictionary attacks take place? I thought most online email systems had a lock out policy after a few failed logins?

Dictionary attacks can happen anywhere. They can succeed only where consecutive failed attempts do not result in a lockout that can only be lifted by an authorized user resetting the password.

[ihill]

Thanks for that!

[deepsand]

Thanks for that!

My pleasure.

[cppgenius]

Thanks for your reply. It seems odd then that Hotmail is one of the ones where accounts are being hacked and spam sent out to all in the address book. I think most people do not collect their hotmail on their own computers but do it online. I know from seeing it that Hotmail make it extremely difficult to get back in when you are locked out! So how are these accounts hacked?

Also keep in mind that in cases like these, the spam is sometimes sent via the victim's e-mail client. People save their passwords in their e-mail client's password manager, so the attacker won't even have to hack the account, he can simply infect the targeted PC with malware and use the e-mail client to send the spam without hacking anything. The address book is still used by the malware and it may seem like the account got hacked, but it is not always the case.

[deepsand]

Also keep in mind that in cases like these, the spam is sometimes sent via the victim's e-mail client. People save their passwords in their e-mail client's password manager, so the attacker won't even have to hack the account, he can simply infect the targeted PC with malware and use the e-mail client to send the spam without hacking anything. The address book is still used by the malware and it may seem like the account got hacked, but it is not always the case.

Setting aside the fact that the matter of compromising a user's machine has already been addressed in post #4, it is the case that all such unauthorized missives are sent by way of the user's client, regardless of where it physically resides, in the cloud or on a local machine.