Hacking Yahoo, Gmail or any Bank accounts.
Well Here I will not be providing some PoC to hack into these mailing accounts. I will be telling you the methodology that can be used to hack into any of these mailing accounts. The real effort will be yours. 
Lets start without any more disclaimer speech and sort.
Roughly below mentioned techniques are used to hack into any email account.
1. Shoulder Surfing:
Simply meaning that watching the passwords typed on keyboard by the victim . Many people type password cautiously thereby allowing the person standing nearby to see and memorize the keypads typed. These is the simplest and effective method to get passwords of anything. A suggestion is that atleast practice typing passwords so that typing passwords become so fast to be interpreted by an average guy.
2. Locally stored passwords
When you click an option saying remember me or allow browsers to remember your passwords then an adversary having access to your system can browse to the location or registry key where the password may be saved in clear text or encrypted forms. Encrypting passwords do not help in few cases as they can decrypted (if non-standard algorithm or if key is available) or can be used to replay attack. A suggestion is that avoid saving passwords for atleast critical accounts.
3. Brute Forcing
Well this wont work in today’s scenarios as most applications are invulnerable to brute-forcing. But there are few pages which may not be like the reset password form where after answering the secret question the application will show you the new reseted password (instead of mailing them to secondary account). A Suggestion is that always have a secondary account configured.
4. Sniffing
Sniffers are the tools that capture packets flowing on Ethernet wire are freely available on net. Well an attacker can use this in combination with MitM (Man-in-the-middle) attack to capture the packets on LAN.Well as an end user I am not aware of any solution that can applied from my side to protect myself from MITM attack. A tip-off is that if you receive certificate alert for websites certified by well-known CAs(Certification Authority like Verisign etc.) then you may be under attack.
5. Keylogger/Trojans
Simplest way is gifting the victim with a game (a trojan) and make him plan it. while the user unaware of the malicious program running behind, has already fallen prey to it. All his key strokes can be logged and emailed to the attacker periodically. A suggestion is that daily update your antivirus and anti-spyware programs. Just updating is not enough. Do periodic scans. A local firewall like Zone-alarm will add on to your system security. And never accept files from unknown (or suspiciously known) users.
6. Phishing
This is a very common form of attack. An attacker has to build up a clone login page of targeted site and entice victim to log into it. Once the victim enters his login credentials, it will be mailed to the attacker. From user point of view always check the URL in address bar before logging in. For web Developers, you can always use any anti-phishing technique like sign-in seal (Yahoo has implemented it). this can help ens-users to identify if the site is genuine of fake. Well this solution can’t be applied in case where the attacker has implemented phishing technique along with DNS Spoofing. (Metasploit PoC )
7. Social Engineering
I simply call it as hacking human brains. This is the most effective technique of all. The only solution to it is end-user education. This can be as simple as directly asking “Please give me your password” till to an example describe here. This is a well-known example. Most of you might have seen the below mail or document saying that (for eg.) Yahoo has a vulnerability and anyone’s password can be obtained by following the below steps.
- Log in to your own yahoo account. Note: Your account must be at least 30 days old for this to work.
- Once you have logged into your own account, compose an e-mail to: hack_other_acc@yahoo.com (actually attacker’s email id)
This is a mailing address to the Yahoo Staff. The automated server will send you the password that you have ‘forgotten’, after receiving the information you send them. - In the subject line type exactly: password retrieve.
- On the first line of your mail write the email address of the person you want to hacking.
- On the second line type in the e-mail address you are using.
- On the third line type in the password to YOUR email address (your OWN password). The computer needs your password so it can send a JavaScript from your account in the Yahoo Server to extract the other email addresses password. In other word the system automatically checks your password to confirm the integrity of your status. Remember you are sending your password to a machine not a man. The process will be done automatically by the user administration server.
In addition to above message, there are sometimes few more additional steps requested by the attacker in order to boil the victim down to send the attacker his account name and password.
Well remember that there is no such Yahoo or any account bot which can help you retrieve passwords of other’s account. There are even some others who claim that they have a tool to do. This tool actually asks you to login into your account first through that tool and once you try logging in (Boom they now have you password) it will throw some junk error like application crashes or so to avoid making victim suspicious of the act. There are lot more to this section that even a book can be written. Well for now you can watch these youtube video to see how those lamers try to fool users.
8. Web Vulnerabilities.
Well there are some insecure application codings which can be exploited to get the passwords/sessions of other users. These are but bit difficult to exploit or by the time you try exploiting, Yahoo or Gmail might have patched it. the vulnerabilities can be Xss, SQLi, CSRF or the recently hyped click-jacking and surfjacking. There are lot more to the lists. There may be some that might not have been patched because they may not have been disclosed yet and can be categorized as private vulnerability (known to very few hackers).
Hacking Gmail with CSRF and Google Bookmarks and Notebook Xss ( both already patched by Google)
Hope this post is informative.
Similar Posts you might be interested in:
Information Security, Phishing, Web Application Security | w0lf | October 9, 2008
brute forcing, Gmail hacking, hijack mail accounts, keylogger, phishing, Shoulder surfing, Sniffing, Social Engineering, web application, web vulnerability, yahoo hacking
Hey w0lf ! This sounds quite interesting…. Specially the myth about yahoo password recovery steps that you have mentioned is really eye-opener. Still many users are caught in this trap…. Nice informative post.
Yes. you are right. Still many people fall prey to these old and witty attacks
Ofcourse, As they busy with their daily schedules they normally forget these things..
I Like that SE Topic
hiw! its very informative.. I remember once i have been fooled by some 1,
and has reveled my Id and Password…
i hv tried tis trick many times but tis didnt worked soo if ny1 of u cud help me get password or these ID’s it wud b really gr8
1 vartikagupta80@yahoo.com
2 tia_sexygurl16@yahoo.com
itz wl b really gr8 ma ID is theonlysurvivor@yahoo.com
plzzz help
all these are 20th century tricks.None of our F***k.
plz somebody hacked my yahoo acount and i want it back plz kelp me
het_vakil_1996@yahoo.com
I tried this trick but it not work.
I req. the password of this ID,
annabrage1975@yahoo.com
hmm .. another great post.I guess many users like your posts, bookmarked your blog, thanks~~
Very good. And what other people think?
hey guys can u plz help
i have forgot my password for yahoo and i have forget the information too cuz i had a prob and i had to change the information and now i need it and i have msged yahoo costamer care but nothing happen they didnt help me. and it has been like a year for that but now i realy need it. if u can help please help me.
nice