Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/6/2009
03:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tens Of Thousands Of Email Usernames And Passwords Posted Online By Phishers

Hotmail, Gmail, Yahoo, and other email users' accounts exposed

Lists containing tens of thousands of stolen email account usernames and passwords have shown up online during the past few days in what researchers say likely came out of multiple phishing attacks.

Most of the accounts were from Microsoft's Hotmail, but Google's Gmail, Yahoo, Comcast, and Earthlink accounts also showed up on lists posted on Pastebin.com, a site typically used for developers to share code. Neowin reported yesterday that 10,000 or so Hotmail account details were posted online on October 1, and since then, several other lists were discovered that include email accounts from Gmail and the other providers.

Microsoft and Google both confirmed some of the account information is legitimate, and that the information was likely stolen via phishing scams, not breaches of their mail systems. Just how those phishing scams were executed is unknown so far.

So why did they post it? "My guess is that they are trying to sell it," says Beth Jones, a threat researcher with Sophos Labs. "It may have been [posted] to raise interest, and to make sure what they were providing is genuine information."

Jamz Yaneza, a threat expert with Trend Micro, says he thinks someone was testing malware and using the Pastebin site as a "scratch pad" because the site allows anonymous posting.

This big breach of the email data comes at a time when security researchers have been hotly debating whether phishing is on the decline. Recent reports from both IBM and Symantec indicate that phishing attacks are decreasing: IBM, for example found that phishing made up 0.1 percent of all spam the first half of 2009, down from 0.2 to 0.9 percent in the first half of 2008. MarkMonitor, meanwhile, says phishing attacks during the second quarter of this year were record-breaking, with more than 151,000 unique attacks and an average of 351 attacks against an organization.

"Phishing is not on the decline," says Joshua Perrymon, CEO of PacketFocus. "Phishing attacks are definitely on the rise and will continue to be a problem. One issue is that people don't know that they are being phished, so most of the reports will not reflect all the attacks."

Perrymon says the email lists posted on Pastebin.com appear to have been the result of phishing scams that had been going on for a while. "There were several phishing sites set up to capture the credentials and even send out more phishing emails to Microsoft Messenger contacts," he says.

He says he and his team launch weekly phishing attacks on their clients' end users, and they rarely see much improvement in users' behaviors. "Actually, 90 percent of the companies we test have never had a directed phishing assessment before, and we are still seeing a 75 to 80 percent response to the phishing emails we send," Perrymon says. "Even if companies have dedicated email gateway hardware, we are able to bypass even the most advanced filters with certain evasion techniques."

An Acunetix researcher, meanwhile, was able to get a copy of the Hotmail email list before the Pastebin site went down for maintenance, and he did some analysis on the passwords. He says the attacks on the Hotmail accounts likely came via a low-level phishing kit because it didn't authenticate users to the Microsoft Hotmail Live site.

"I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong," blogged Acunetix's Bogdan Calin today.

Calin also found that of the 10,028 accounts, 9,843 were valid. And many used weak passwords: The most popular password was "123456," for example.

"Forty-two percent were very weak passwords," Sophos' Jones says. "Most were between six and nine characters, and all lowercase."

Trend Micro's Yaneza says the subsequent round of accounts posted from Gmail, Yahoo, and others may just be the same Hotmail victims: "I'm afraid it's people who use the same login and password [for multiple email accounts], so it's hard to put a number on how much damage [this is]," he says.

Users should change their passwords every month or so given the threats out there today, Yaneza says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
CVE-2019-9700
PUBLISHED: 2019-07-16
Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
CVE-2019-12990
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
CVE-2019-12991
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).