Vulnerabilities / Threats

10/6/2009
03:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tens Of Thousands Of Email Usernames And Passwords Posted Online By Phishers

Hotmail, Gmail, Yahoo, and other email users' accounts exposed

Lists containing tens of thousands of stolen email account usernames and passwords have shown up online during the past few days in what researchers say likely came out of multiple phishing attacks.

Most of the accounts were from Microsoft's Hotmail, but Google's Gmail, Yahoo, Comcast, and Earthlink accounts also showed up on lists posted on Pastebin.com, a site typically used for developers to share code. Neowin reported yesterday that 10,000 or so Hotmail account details were posted online on October 1, and since then, several other lists were discovered that include email accounts from Gmail and the other providers.

Microsoft and Google both confirmed some of the account information is legitimate, and that the information was likely stolen via phishing scams, not breaches of their mail systems. Just how those phishing scams were executed is unknown so far.

So why did they post it? "My guess is that they are trying to sell it," says Beth Jones, a threat researcher with Sophos Labs. "It may have been [posted] to raise interest, and to make sure what they were providing is genuine information."

Jamz Yaneza, a threat expert with Trend Micro, says he thinks someone was testing malware and using the Pastebin site as a "scratch pad" because the site allows anonymous posting.

This big breach of the email data comes at a time when security researchers have been hotly debating whether phishing is on the decline. Recent reports from both IBM and Symantec indicate that phishing attacks are decreasing: IBM, for example found that phishing made up 0.1 percent of all spam the first half of 2009, down from 0.2 to 0.9 percent in the first half of 2008. MarkMonitor, meanwhile, says phishing attacks during the second quarter of this year were record-breaking, with more than 151,000 unique attacks and an average of 351 attacks against an organization.

"Phishing is not on the decline," says Joshua Perrymon, CEO of PacketFocus. "Phishing attacks are definitely on the rise and will continue to be a problem. One issue is that people don't know that they are being phished, so most of the reports will not reflect all the attacks."

Perrymon says the email lists posted on Pastebin.com appear to have been the result of phishing scams that had been going on for a while. "There were several phishing sites set up to capture the credentials and even send out more phishing emails to Microsoft Messenger contacts," he says.

He says he and his team launch weekly phishing attacks on their clients' end users, and they rarely see much improvement in users' behaviors. "Actually, 90 percent of the companies we test have never had a directed phishing assessment before, and we are still seeing a 75 to 80 percent response to the phishing emails we send," Perrymon says. "Even if companies have dedicated email gateway hardware, we are able to bypass even the most advanced filters with certain evasion techniques."

An Acunetix researcher, meanwhile, was able to get a copy of the Hotmail email list before the Pastebin site went down for maintenance, and he did some analysis on the passwords. He says the attacks on the Hotmail accounts likely came via a low-level phishing kit because it didn't authenticate users to the Microsoft Hotmail Live site.

"I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong," blogged Acunetix's Bogdan Calin today.

Calin also found that of the 10,028 accounts, 9,843 were valid. And many used weak passwords: The most popular password was "123456," for example.

"Forty-two percent were very weak passwords," Sophos' Jones says. "Most were between six and nine characters, and all lowercase."

Trend Micro's Yaneza says the subsequent round of accounts posted from Gmail, Yahoo, and others may just be the same Hotmail victims: "I'm afraid it's people who use the same login and password [for multiple email accounts], so it's hard to put a number on how much damage [this is]," he says.

Users should change their passwords every month or so given the threats out there today, Yaneza says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9019
PUBLISHED: 2019-02-22
The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft, does not prevent the USB charging/data-transfer feature from interacting with USB keyboard and mouse devices, which allows physically proximate attackers to conduct unanticipated attacks against...
CVE-2019-9015
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
CVE-2019-9016
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
CVE-2018-20784
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVE-2019-9003
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.