Massive Phishing Campaign Hits Multiple Email Services

nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."

Re:Preaching to the church

[TheRaven64]

For your example, you might consider using a park that has some significance to you and capitalise the proper nouns, and numbers that actually make sense, to get something that is easier to remember. For example:

'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

Re:Top 20 Passwords

[Teun]

Which tells me there is an unusual number of Latino users among the 10K.

Re:HA! My password is 123456

[crunch_ca]

From the FA, the longest password hacked was: "lafaroleratropezoooooooooooooo" (30 characters).

This was a phishing attack. The strength of the password didn't matter.

The article talks about analysis of password data and doesn't really point out anything we didn't know already.

Re:Preaching to the church

[TheRaven64]

With the Psion Series 3, you could enter characters by their ASCII code (no unicode, this was 1993) by holding down a modifier. I thought this would be great for a password; no one would ever guess that they had to hold down a modifier while entering some digits in the middle of the password. It turned out that the password entry box in the settings pane did, indeed, allow this kind of thing. Unfortunately, the first time I locked the device afterwards, I discovered that the password entry box for unlocking did not. That said, I haven't come across anything for a long time that didn't allow upper and lower case and numeric fields (although some discarded the case information). A few don't allow non-alphanumerics, but it's easy to just omit them from the passwords for those sites.

Re:Where are the details?

[vanyel]

Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.

BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...