Vulnerabilities / Threats
10/6/2009
03:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tens Of Thousands Of Email Usernames And Passwords Posted Online By Phishers

Hotmail, Gmail, Yahoo, and other email users' accounts exposed

Lists containing tens of thousands of stolen email account usernames and passwords have shown up online during the past few days in what researchers say likely came out of multiple phishing attacks.

Most of the accounts were from Microsoft's Hotmail, but Google's Gmail, Yahoo, Comcast, and Earthlink accounts also showed up on lists posted on Pastebin.com, a site typically used for developers to share code. Neowin reported yesterday that 10,000 or so Hotmail account details were posted online on October 1, and since then, several other lists were discovered that include email accounts from Gmail and the other providers.

Microsoft and Google both confirmed some of the account information is legitimate, and that the information was likely stolen via phishing scams, not breaches of their mail systems. Just how those phishing scams were executed is unknown so far.

So why did they post it? "My guess is that they are trying to sell it," says Beth Jones, a threat researcher with Sophos Labs. "It may have been [posted] to raise interest, and to make sure what they were providing is genuine information."

Jamz Yaneza, a threat expert with Trend Micro, says he thinks someone was testing malware and using the Pastebin site as a "scratch pad" because the site allows anonymous posting.

This big breach of the email data comes at a time when security researchers have been hotly debating whether phishing is on the decline. Recent reports from both IBM and Symantec indicate that phishing attacks are decreasing: IBM, for example found that phishing made up 0.1 percent of all spam the first half of 2009, down from 0.2 to 0.9 percent in the first half of 2008. MarkMonitor, meanwhile, says phishing attacks during the second quarter of this year were record-breaking, with more than 151,000 unique attacks and an average of 351 attacks against an organization.

"Phishing is not on the decline," says Joshua Perrymon, CEO of PacketFocus. "Phishing attacks are definitely on the rise and will continue to be a problem. One issue is that people don't know that they are being phished, so most of the reports will not reflect all the attacks."

Perrymon says the email lists posted on Pastebin.com appear to have been the result of phishing scams that had been going on for a while. "There were several phishing sites set up to capture the credentials and even send out more phishing emails to Microsoft Messenger contacts," he says.

He says he and his team launch weekly phishing attacks on their clients' end users, and they rarely see much improvement in users' behaviors. "Actually, 90 percent of the companies we test have never had a directed phishing assessment before, and we are still seeing a 75 to 80 percent response to the phishing emails we send," Perrymon says. "Even if companies have dedicated email gateway hardware, we are able to bypass even the most advanced filters with certain evasion techniques."

An Acunetix researcher, meanwhile, was able to get a copy of the Hotmail email list before the Pastebin site went down for maintenance, and he did some analysis on the passwords. He says the attacks on the Hotmail accounts likely came via a low-level phishing kit because it didn't authenticate users to the Microsoft Hotmail Live site.

"I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong," blogged Acunetix's Bogdan Calin today.

Calin also found that of the 10,028 accounts, 9,843 were valid. And many used weak passwords: The most popular password was "123456," for example.

"Forty-two percent were very weak passwords," Sophos' Jones says. "Most were between six and nine characters, and all lowercase."

Trend Micro's Yaneza says the subsequent round of accounts posted from Gmail, Yahoo, and others may just be the same Hotmail victims: "I'm afraid it's people who use the same login and password [for multiple email accounts], so it's hard to put a number on how much damage [this is]," he says.

Users should change their passwords every month or so given the threats out there today, Yaneza says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.