Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Google Microsoft IT

Massive Phishing Campaign Hits Multiple Email Services 183

Posted by Soulskill from the nowhere-to-run-to-baby dept.
nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."
This discussion has been archived. No new comments can be posted.

Massive Phishing Campaign Hits Multiple Email Services More

Massive Phishing Campaign Hits Multiple Email Services

Comments Filter:

  • Re:Where are the details? (Score:3, Informative)

    by Jeng ( 926980 ) on Wednesday October 07, 2009 @01:41PM (#29672001)

    It was an email saying that ones inbox was too full and to reply with username and password to have the limit increased.

  • Top 20 Passwords (Score:1, Informative)

    by osomoore ( 1446439 ) on Wednesday October 07, 2009 @01:41PM (#29672011)
    Top 20 most common passwords:
    123456 - 64
    123456789 - 18
    alejandra - 11
    111111 - 10
    alberto - 9
    tequiero - 9
    alejandro - 9
    12345678 - 9
    1234567 - 8
    estrella - 7
    iloveyou - 7
    daniel - 7
    000000 - 7
    roberto - 7
    654321 - 6
    bonita - 6
    sebastian - 6
    beatriz - 6
    mariposa - 5
    america - 5

    From 2 links deep (http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/)

  • Re:Preaching to the church (Score:5, Informative)

    by clone53421 ( 1310749 ) on Wednesday October 07, 2009 @01:49PM (#29672085) Journal

    And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember,

    Real grammar nazis also know that it wasn't a sentence.

  • Re:Where are the details? (Score:5, Informative)

    by CrossChris ( 806549 ) on Wednesday October 07, 2009 @01:58PM (#29672189)

    How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?

    It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).

    There's one born every minute.....

  • Re:Unencrypted passwords? (Score:3, Informative)

    by 4D6963 ( 933028 ) on Wednesday October 07, 2009 @01:59PM (#29672205)
    Huh??? I thought that was collected by phishing? Yeah, sorry for getting in the way of your ritual MS bashing, but it's something that can affect any service since it's essentially social engineering. Kind of.

  • Re:Wow! (Score:5, Informative)

    by clone53421 ( 1310749 ) on Wednesday October 07, 2009 @04:44PM (#29674295) Journal

    From the blog of the guy who actually did the research [acunetix.com], I'm deducing that those probably weren't valid password.

    An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin.

    ...Even more, the phishing kit used most probably was badly designed, since it was one that didnâ(TM)t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.

      * The list initially contained 10,028 entries.
      * After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
      * There are 8931 (90%) unique passwords in the list.
      * The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
      * The shortest password was 1 char long : )

    In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).

    tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close