Since the widespread adoption of the Internet in the 1990s, many internet providers and online companies have offered free email to anyone able to come up with a username. You’re probably familiar with many of these including Yahoo!, AOL and Gmail. Many small and medium businesses (SMBs) have also adopted free email providers as a way to communicate with their customers. Humans are creatures of habit, and no online habit is harder than changing our email!
Unfortunately, with many free email providers you get what you pay for in terms of security and logging. Many of these free services offer strong multifactor authentication and other protections against unauthorized access, however they often lack in their capability to provide audit logs for access to those accounts. The logs may not show which devices accessed accounts, where the device was, and the data may not last long.
If the threat actors get into an email account, they will often use the access to commit various forms of wire fraud to steal money. They may redirect wire transfers or steal employee information like W2s or other sensitive data. Some of them will even send computer viruses and other malicious software (malware) to business partners or clients. They could even use the access to get into other systems and deploy ransomware.
As it turns out, this sort of unauthorized access is extremely common, often called one of the most common forms of cybercrime. In 2021, $2 billion was reported lost to the FBI through cybercrime committed with business email compromise.
This blog post will look at a couple free email providers and their shortcomings when it comes to audit logging. The free email logs are limited as to what they show and ultimately may not help investigators answer all the questions about what unauthorized access happened.
AOL and Yahoo! Email
Two of the biggest free email vendors online are AOL and Yahoo. Both of these brands were bought by Verizon then later sold again. In 2018, the underlying email infrastructure was merged for those two email providers. So, if you’re looking at Yahoo or AOL email, you will notice a lot of similarities in the account management screens. For the purpose of this blog post, I’ll refer to AOL but Yahoo is very similar.
Within AOL Email, users can review their recent activity in the Account > Recent Activity pane (https://login.aol.com/myaccount/activity/). The data will show recent devices that have logged in and other changes such as enabling or disabling multifactor authentication.
If a user logs in to their account from a separate email program instead of a web browser, you can also see that in this view. Devices may include:
- Mozilla Thunderbird will show as Virtual gecko
- Windows Mail will show as IE, Windows
Logging in to these alternative programs will require a user to connect as an app, as shown in the screenshot above on the right. When a user resets their password in AOL mail, all connected devices are logged out and removed from the list of connected devices. Changing a password does not remove the application grant access, but it just logs the device out.
What’s missing in these views from an investigative perspective is data related to what items could have been accessed and methods of accessing email. Unfortunately, if the devices are no longer listed as connected, then an investigator may no longer be able to see which devices logged in, those devices' locations, and the methods used to log in. And if a user logged in with an alternative email program like Thunderbird, they could have downloaded all of the mail in a mailbox using IMAP.
What this means is that you will have very limited visibility into what could have been accessed and if the entire mailbox could have been downloaded. A conservative investigator or breach coach could request that the entire mailbox be considered compromised and require all individuals be notified.
Free Google Mail (Gmail)
Google offers multiple forms of its email program, including Gmail for free and Google Workspaces for companies. Google Workspace offers advanced security and auditing features like logging which documents have been edited or viewed by users. Free Gmail does not offer these sorts of centralized features, however its logging ability is more robust than AOL mail.
For example, if you scroll to the bottom of the email inbox in Gmail, you will be able to open your recent activity in a pop-out window. From there you can look at a security checkup with actionable items to improve security: https://myaccount.google.com/security-checkup/
The Security Checkup will show items that could be concerning like email forwarding, third party access, and unusual activity. Still, even with these views it is difficult and time consuming to have a good picture of all data that could have been accessed by someone with unauthorized access to the account. Ultimately, an investigator and/or breach coach may determine that the most conservative approach is to treat all emails and documents in a free Gmail account as compromised.
Conclusions
The purpose of cybersecurity is to limit risk to a business or other organization. Adding robust security and auditing to email accounts can help limit risk by helping to pinpoint what could have been accessed by the threat actors. If audit logs can’t show when threat actors gained access to a mailbox, it could mean they have been viewing emails for a long time (as in, before the logs started being recorded). If your investigators have doubt as to what data could have been accessed or downloaded, then it possibly puts all data in a mailbox in-scope for data breach notifications. Either of these could mean that the data mining and notifications to your customers and business partners can be quite expensive and time-consuming.
For all email users, it is important to enable multifactor authentication, however for businesses it is important to also ensure that proper audit logging is available to limit the scope of a forensic investigation. Free email tools do not provide the forms of audit logging necessary for many businesses to limit risk in the event of an account compromise.
Organizations should leverage mail providers like Google Workspace or Microsoft 365 (formerly Office 365) that have more robust logging and security controls. Google Workspace (paid version) stores user logs for six months and Microsoft 365 stores logs for up to 90 days for most subscriptions (and one year for some subscriptions). One more perk of using Google Workspace or Microsoft 365 is that you can manage more than one user's access to email and documents.
Helm Information Security can help you review your current cybersecurity preparation and resilience. We can help you determine whether your email providers have enough logging to limit your risk, and can also help you prepare for what to do if your email accounts are accessed by someone who shouldn’t.
Comments