Security Week 08: hacking VFEMail live

    News about serious vulnerabilities in software and hardware appear every week. Only in the last seven days it was reported about the operation of XSS in the Vkontakte social network, about the elimination of Zero-Day in Windows, and a bit earlier a bug was closed in Android, which allows cracking the phone with a prepared PNG image. But we rarely see the consequences of exploiting these vulnerabilities: the affected companies, for obvious reasons, are in no hurry to share such information. Even less often, you can observe the consequences of the attack almost live, which happened with the VFEMail email service last week .

    This service was founded in 2001 by a resident of the United States, and since then has served private clients (it offered only 50 megabytes of space for letters for free) and organizations on their own domains. In 2015, he was mentioned along with ProtonMail secure mail service as a victim of ransomware - the owner of the service quoted the requirement of the organizers of the DDoS attack to pay five bitcoins. On February 11, without preliminary threats, the attackers erased information on all the main and backup VFEMail servers, literally destroying the company’s business in almost a few hours.

    The most expensive option in the list of mail service tariffsoffers 15 gigabytes (20 elsewhere on the site, readings diverge) for $ 50 a year - the same amount that Google Mail gives for free. Or a one-time payment of $ 25 for 1 gigabyte of mail forever. Payment is accepted in cryptocurrency. VFEMail does not position itself as secure mail, offering fairly standard options like filtering spam, checking virus attachments, and accessing email programs. And more: "We do not read your letters in order to sell you advertising."


    In general, it was such a mail for those who a hundred years ago opened a mailbox and since then is too lazy to move somewhere else. A fully working scheme, if not for the events of February 11th. It all started with this post on Twitter of the mail service: the owner noticed that he had serious problems.


    Two hours later, on one of the servers, the owner saw live, as an attacker erases data:


    The mail service was attacked from Bulgarian IP, most likely from a rented virtual machine. After a few minutes, it became clear that this was not the only attacked server:


    An hour later, the founder of the service will probably diagnose a complete loss of all user data:


    Several servers at different sites in different countries were attacked at once. According to the owner of VFEMail, different methods and authorization keys were used on the servers, and nevertheless they were hacked, followed by data destruction, almost simultaneously. After a week of downtime, the owner of the service managed to restore one of the servers with data for 2016:


    In a commentary to the Bleeping Computer website, the founder and sole owner of the email service, Rick Romero, said that he did not receive any threats from anyone, unlike the situation with the DDoS attack in 2015. Most likely, the service will not be restored, although later clients were nevertheless provided with the ability to receive and send mail without access to archived messages for the last two-plus years. Journalist Brian Krebs on his blog cites the testimony of the VFEMail corporate client: ten years of email correspondence and more than 60 thousand messages were lost.


    Interestingly, the VFEMail website made an argument in favor of a third-party mail service compared to its own mail: it’s more reliable, all security settings have already been taken care of, and you do not need to accept incoming connections on your own network.


    All the arguments are correct, although in the end the "professional" service survived a completely user disaster - when the entire "networked" infrastructure was destroyed and, most likely, there are no offline backups. In the comment above, the owner of the service gives another argument in favor of refusing to restore: even before the hacking, the postal service was not particularly profitable. A blow to reputation, the cost of restoring infrastructure, and most importantly, the cost of subsequent data backup and additional security features will make the business completely unprofitable.

    In a sense, it's a pity. VFEMail appeared at the end of the romantic era of the Internet, when the current giants were garage startups with a similar level of security. The further development of cyberattacks made the defense costs unbearable for all who did not manage to become large enough. Although we don’t yet know how exactly it was possible to hack the mail service (and perhaps we will never know), this story is a sad example when the company is not ready to either repel a cyber attack or overcome its consequences. And if the largest companies have problems with the first point, the inability to recover from cyber shock is just the situation that should be avoided by all means.

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.

    Also popular now: