Vulnerabilities / Threats

10/6/2009
03:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tens Of Thousands Of Email Usernames And Passwords Posted Online By Phishers

Hotmail, Gmail, Yahoo, and other email users' accounts exposed

Lists containing tens of thousands of stolen email account usernames and passwords have shown up online during the past few days in what researchers say likely came out of multiple phishing attacks.

Most of the accounts were from Microsoft's Hotmail, but Google's Gmail, Yahoo, Comcast, and Earthlink accounts also showed up on lists posted on Pastebin.com, a site typically used for developers to share code. Neowin reported yesterday that 10,000 or so Hotmail account details were posted online on October 1, and since then, several other lists were discovered that include email accounts from Gmail and the other providers.

Microsoft and Google both confirmed some of the account information is legitimate, and that the information was likely stolen via phishing scams, not breaches of their mail systems. Just how those phishing scams were executed is unknown so far.

So why did they post it? "My guess is that they are trying to sell it," says Beth Jones, a threat researcher with Sophos Labs. "It may have been [posted] to raise interest, and to make sure what they were providing is genuine information."

Jamz Yaneza, a threat expert with Trend Micro, says he thinks someone was testing malware and using the Pastebin site as a "scratch pad" because the site allows anonymous posting.

This big breach of the email data comes at a time when security researchers have been hotly debating whether phishing is on the decline. Recent reports from both IBM and Symantec indicate that phishing attacks are decreasing: IBM, for example found that phishing made up 0.1 percent of all spam the first half of 2009, down from 0.2 to 0.9 percent in the first half of 2008. MarkMonitor, meanwhile, says phishing attacks during the second quarter of this year were record-breaking, with more than 151,000 unique attacks and an average of 351 attacks against an organization.

"Phishing is not on the decline," says Joshua Perrymon, CEO of PacketFocus. "Phishing attacks are definitely on the rise and will continue to be a problem. One issue is that people don't know that they are being phished, so most of the reports will not reflect all the attacks."

Perrymon says the email lists posted on Pastebin.com appear to have been the result of phishing scams that had been going on for a while. "There were several phishing sites set up to capture the credentials and even send out more phishing emails to Microsoft Messenger contacts," he says.

He says he and his team launch weekly phishing attacks on their clients' end users, and they rarely see much improvement in users' behaviors. "Actually, 90 percent of the companies we test have never had a directed phishing assessment before, and we are still seeing a 75 to 80 percent response to the phishing emails we send," Perrymon says. "Even if companies have dedicated email gateway hardware, we are able to bypass even the most advanced filters with certain evasion techniques."

An Acunetix researcher, meanwhile, was able to get a copy of the Hotmail email list before the Pastebin site went down for maintenance, and he did some analysis on the passwords. He says the attacks on the Hotmail accounts likely came via a low-level phishing kit because it didn't authenticate users to the Microsoft Hotmail Live site.

"I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong," blogged Acunetix's Bogdan Calin today.

Calin also found that of the 10,028 accounts, 9,843 were valid. And many used weak passwords: The most popular password was "123456," for example.

"Forty-two percent were very weak passwords," Sophos' Jones says. "Most were between six and nine characters, and all lowercase."

Trend Micro's Yaneza says the subsequent round of accounts posted from Gmail, Yahoo, and others may just be the same Hotmail victims: "I'm afraid it's people who use the same login and password [for multiple email accounts], so it's hard to put a number on how much damage [this is]," he says.

Users should change their passwords every month or so given the threats out there today, Yaneza says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.