Webmail Security and Associated Best Practices

Webmail is popular for its many advantages over regular desktop email. One of its salient benefits is ubiquitous availability, which is a double-edged sword. The price paid for universal access is a greatly increased attack surface area. Below we will identify existing threats, the implications of being targeted, and best practices to effectively mitigate threats associated with the use of webmail.

Business employees often require access to work resources from outside of the office. As a result, web-based email has become one of the most widely used corporate communications resources. Email is the communication backbone that supports the smooth and successful operation of any company. Therefore, because of its high value and sensitive nature, email resources are often targeted by malicious attackers. Compromised email infrastructure can result in several problems, such as:

  • Intellectual property loss: This includes stolen company secrets, customer and partner information, internal memos, etc. These can be used for blackmail, or can even be sold on the internet to the highest bidder.
  • Email contact loss: Stolen address books can cause lost business opportunities while company contacts may be exposed to future spam and malware attacks.
  • Also, depending on local legislation, data breaches might have to be publicly disclosed and companies can be given significant fines.

Attackers have a multitude of options available at their disposal. Some malicious individuals may run a simple Web search to obtain your webmail URL. Once they have this information, they can employ bots (automated programs) to guess a correct username and password. The most common attack we see is targeted phishing emails spoofing the company’s IT helpdesk. These messages employ various social engineering tactics to trick users into giving up their password. Once the attackers have the passwords, they can login to the relevant webmail server and perform additional malicious activities.

Below are two samples of targeted phishing emails. In the first sample, the attacker directs the victim to a URL where they can capture the victim’s username and password. In this example they are using Google Docs, which is being used to host a simple form into which the attacker hopes the victim will input their details. The second sample is a simpler phishing email where the attacker just asks the victim to fill out details and reply with their username and password to a webmail account.

Effective security policies should be implemented to prevent phishing attempts and the following approaches can help mitigate these threats. When used together, you can appear less enticing to attackers and avoid becoming a victim.

Policy solutions

  • Implement a two-factor authentication process with a hardware or software token. This will require a user to provide a second set of authentication credentials (in addition to username and password) to log into webmail.
  • Consider allowing only specific users access to webmail. This will reduce the attack surface area, which in turn reduces the probability of being targeted. In many companies, not all employees truly need webmail access outside of office hours.
  • Hide your webmail URL from search engine crawlers by setting up a robots.txt in the root of your webmail server.
  • Avoid generic or easily guessable webmail URLs (such as webmail.domain.com or mail.domain.com).
  • Enforce an effective password policy (such as requiring complex passwords) and force regular password changes.
  • Limit the total number of messages per user. This can be based on a per-day or per-hour limit.

User education

  • Ask your IT department to publish monthly advisories and hold regular brief meetings and training modules regarding security best practices.
  • Login pages can have friendly security reminders which change depending on the season. For example, during holidays or festive seasons be aware of suspicious themed attachments.
  • Educate users on how to recognize phishing attempts. For example, showing users a sample email would help them better recognize phishing attempts.
  • Discourage use of webmail on public or shared computers which might have key loggers or other malware installed.

Pro-active measures

  • Ensure server and webmail software are patched with the latest updates to prevent vulnerabilities from being exploited.
  • Frequently monitor authentication and access logs for suspicious events, such as sudden spikes in user activity. Administrators can be alerted to disable compromised accounts.

Of all of the above approaches, our experience has shown that the most effective way to mitigate becoming a target is to implement a two-factor authentication process. If an attacker cannot gain access to your webmail server because you utilize such technology, they will simply move on to the next target which doesn’t.

How to stop your Gmail account being hacked

GmailAs has been widely reported, high profile users of Gmail – including US government officials, reporters and political activists – have had their email accounts hacked.

This wasn’t a sophisticated attack against Google’s systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.

Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail’s login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.

So, what steps should you take to reduce the chances of your Gmail account being hacked?

  1. Set up Two step verification
  2. Check if your Gmail messages are being forwarded without your permission
  3. Where is your Gmail account being accessed from?
  4. Choose a unique, hard-to-crack password
  5. Secure your computer
  6. Why are you using Gmail anyway?

1. Set up Two step verification

The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.

Google provides a facility called “two step verification” to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account – as they will be sending you a magic “verification” number via SMS.

The advantage of this approach – which is similar to that done by many online banks – is that even if cybercriminals manage to steal your username and password, they won’t know what your magic number is because they don’t have your phone.

Google has made two step verification easy to set up.

Setting up 2 step verification

Once you’re set up, the next time you try to log into Gmail you’ll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.

Mobile phone receives verification number

Let’s just hope the bad guys don’t have access to your mobile phone too..

Here’s a video from Google where they explain two step verification in greater detail:

You can also learn more about two step verification on Google’s website.

By the way, note that two step verification doesn’t mean that your Gmail can’t ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it’s certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.

2. Check if your Gmail messages are being forwarded without your permission

Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.

Go into your Gmail account settings, and select the “Forwarding and POP/IMAP” tab.

If your emails are being forwarded to another address, then you will see something like the following:

Gmail forwarding

That’s fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn’t.

If your messages are not being forwarded you will see a screen more like this:

Gmail forwarding

Hackers want to break into your account not just to see what email you’ve received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That’s why it’s so important to check that no-one has sneakily asked for all of your email to be forwarded to them.

3. Where is your Gmail account being accessed from?

At the bottom of each webpage on Gmail, you’ll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven’t been using your computer) or from a different location.

Last account activity

Clicking on the “Details” option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up – especially if you spot a computer from another country has been accessing your email.

IP addresses of computers accessing Gmail account

4. Choose a unique, hard-to-crack password

As we’ve explained before, you should never use the same username and password on multiple websites. It’s like having a skeleton key which opens every door – if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it’s hard to break with a dictionary attack.

Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don’t delay, be sensible and make your passwords more secure today

And once you’ve chosen a safer password – keep it safe! That means, don’t share it with anyone else and be very careful that you’re typing it into the real Gmail login screen, not a phishing site.

5. Secure your computer

Secure PCIt should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don’t, you’re risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.

You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That’s one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don’t know what state the computer is in, and who might have been using it before.

6. Why are you using Gmail anyway?

Okay, I don’t really mean that. But I do mean, why are you storing sensitive information in your Gmail account?

The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn’t have that in their webmail account? Shouldn’t that be on secure government and military systems instead?

Always think about the data you might be putting on your web email account – because if it’s only protected by a username and password that may actually be less security than your regular work email system provides.