Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/6/2009
03:37 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Tens Of Thousands Of Email Usernames And Passwords Posted Online By Phishers

Hotmail, Gmail, Yahoo, and other email users' accounts exposed

Lists containing tens of thousands of stolen email account usernames and passwords have shown up online during the past few days in what researchers say likely came out of multiple phishing attacks.

Most of the accounts were from Microsoft's Hotmail, but Google's Gmail, Yahoo, Comcast, and Earthlink accounts also showed up on lists posted on Pastebin.com, a site typically used for developers to share code. Neowin reported yesterday that 10,000 or so Hotmail account details were posted online on October 1, and since then, several other lists were discovered that include email accounts from Gmail and the other providers.

Microsoft and Google both confirmed some of the account information is legitimate, and that the information was likely stolen via phishing scams, not breaches of their mail systems. Just how those phishing scams were executed is unknown so far.

So why did they post it? "My guess is that they are trying to sell it," says Beth Jones, a threat researcher with Sophos Labs. "It may have been [posted] to raise interest, and to make sure what they were providing is genuine information."

Jamz Yaneza, a threat expert with Trend Micro, says he thinks someone was testing malware and using the Pastebin site as a "scratch pad" because the site allows anonymous posting.

This big breach of the email data comes at a time when security researchers have been hotly debating whether phishing is on the decline. Recent reports from both IBM and Symantec indicate that phishing attacks are decreasing: IBM, for example found that phishing made up 0.1 percent of all spam the first half of 2009, down from 0.2 to 0.9 percent in the first half of 2008. MarkMonitor, meanwhile, says phishing attacks during the second quarter of this year were record-breaking, with more than 151,000 unique attacks and an average of 351 attacks against an organization.

"Phishing is not on the decline," says Joshua Perrymon, CEO of PacketFocus. "Phishing attacks are definitely on the rise and will continue to be a problem. One issue is that people don't know that they are being phished, so most of the reports will not reflect all the attacks."

Perrymon says the email lists posted on Pastebin.com appear to have been the result of phishing scams that had been going on for a while. "There were several phishing sites set up to capture the credentials and even send out more phishing emails to Microsoft Messenger contacts," he says.

He says he and his team launch weekly phishing attacks on their clients' end users, and they rarely see much improvement in users' behaviors. "Actually, 90 percent of the companies we test have never had a directed phishing assessment before, and we are still seeing a 75 to 80 percent response to the phishing emails we send," Perrymon says. "Even if companies have dedicated email gateway hardware, we are able to bypass even the most advanced filters with certain evasion techniques."

An Acunetix researcher, meanwhile, was able to get a copy of the Hotmail email list before the Pastebin site went down for maintenance, and he did some analysis on the passwords. He says the attacks on the Hotmail accounts likely came via a low-level phishing kit because it didn't authenticate users to the Microsoft Hotmail Live site.

"I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong," blogged Acunetix's Bogdan Calin today.

Calin also found that of the 10,028 accounts, 9,843 were valid. And many used weak passwords: The most popular password was "123456," for example.

"Forty-two percent were very weak passwords," Sophos' Jones says. "Most were between six and nine characters, and all lowercase."

Trend Micro's Yaneza says the subsequent round of accounts posted from Gmail, Yahoo, and others may just be the same Hotmail victims: "I'm afraid it's people who use the same login and password [for multiple email accounts], so it's hard to put a number on how much damage [this is]," he says.

Users should change their passwords every month or so given the threats out there today, Yaneza says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33818
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2021-33820
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
CVE-2021-33822
PUBLISHED: 2021-06-18
An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2020-18442
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
CVE-2021-3604
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.