Adobe Hack: What to expect now…

So Ok… Another BigOne got hacked. A huge list of mail addresses, hashed passwords and password hints (if defined) leaked to public. In other words: a 3.x Gb tar.gz full of accounts…

So what to expect:
- The affected mail adresses will receive spam. I’ve already seen targeted Spam to some affected addresses
- In case, the encrypted passwords will be decrypted, ISPs will have a hard time fighting against misuse of their customers mailboxes. Unfortunatly a lot of people still use their mailbox passwords for webshops etc. or use top100 easytohack credentials.
- Phishing is another option for the badboys. They know which mail address has an Adobe account, so let’s go spear phishing for some more data like credit card numbers, full address, phone numbers…..

So for mailserver administrators. Try to prepare yourself as good as you can for an increase of snowshoe attacks, because this kind of attack seems to be quite popular at the moment. You will see thousands of IPs sending only a small number of mails. You could/should also use Splunk for detecting the badboys. just grep your customers mail addresses out of the Adobe list, put them in a csv, let the list match against your smtpauth outgoing traffic logs in realtime and watch for unusual behaviour.


watch for the 5xx

just in case you want to identify some bad guys, using your mail infrastructure for sending out spam…

often these guys use bad recipient lists, that produce 5xx user unknown responses.

count per timespan is a pretty good indicator.