Forgot your password?
typodupeerror
Security Google Microsoft IT

Massive Phishing Campaign Hits Multiple Email Services 183

Posted by Soulskill
from the nowhere-to-run-to-baby dept.
nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."
This discussion has been archived. No new comments can be posted.

Massive Phishing Campaign Hits Multiple Email Services

Comments Filter:
  • Wow! (Score:5, Funny)

    by Anonymous Coward on Wednesday October 07, 2009 @01:03PM (#29671613)

    An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.'

    That's amazing. I've got the same combination on my luggage.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      lol

      But seriously, what kind of chickenshit mail server policy even allows that password in the first place?

      OH... hotmail.. enough said...

      • by conureman (748753)

        There not being a whole lot to lose (or any porn that would get me in trouble ;), if my shit gets compromised, I use the same password on everything. (eight letter word, YMMV) Of course, I'm not afraid to format the HDD and re-install the OS when my foolishness catches up with me, and I DO protect my router,as well. The only thing I worry about is if my node became a SPAMBot, but I check my traffic periodically to avoid that.(Ain't happened yet, but I've had to fix my friend's boxes a few times). I do have

        • problem here is when your account gets hacked your contacts list gets emailed and your contacts get phished. I had two emails the other week supposed to be sent from friends account to see if i was blocked on msn by them. first thing it wanted was my hotmail account and password.

          I'm not stupid enough to fall for that but I know people (obviously) who are and might trust an email which appears to come from someone they trust.

          • by conureman (748753)

            Not that I'm completely antisocial, but I do not and never have had a contacts list. The only email I receive is from my son's school, and I never click on any unsolicited e-mail. I don't frequent commercial websites either, except for news, and if they give me unwanted popunders they get blocked at the router. I mainly surf on USDA and Forest Service sites, and some Canadian and British Columbia government sites. I seldom encounter problems. I actually average about three SPAM E-mails per month, so it's no

            • I'm a little puzzled, I think we are perhaps divided by a common language. My contacts list is a list of known email contacts with names and associated email address stored within my email program. I remember my friend and families names not their email address so when I want to email them I use their name and the software offers the email address associated with them.

              If there are two or more people you email I would consider that a list , perhaps a short one of contacts.
              I think you must be pretty rare as s

      • by tomhudson (43916)
        My question is "why are they storing email passwords in plaintext"?

        Of course, they're probably not, just comparing the hash values of $usr_pw" and "12345", but that is also the most common password on voice email boxes.

        One guy up here was convicted - TWICE - for "hacking" into police detectives' voicemail by just randomly dialing extensions, and entering "12345". You'd think after the first conviction, the cops would, you knw, CHANGE THEIR FRIGGING PASSWORDS. Even 38258 (FUCK U) would have been bette

        • by netsharc (195805)

          The passwords are in plain text because the script kiddies phished them, and that's the list that got leaked.

        • by eihab (823648)

          On a side note, try dialing numbers like 1-800-F**K-OFF. Last time we checked (party, late at night) they were assigned.

          It could have been any of the following (or more):

          1800-dual-Ned
          1800-dual-med
          1800-dual-nee
          1800-dual-odd
          1800-dual-ode
          1800-dual-off

          Courtesy of http://www.phonespell.org/ [phonespell.org]

      • by shentino (1139071)

        What I don't like is being forced to jump through hoops to remember a password.

        Recently gmail disallowed passwords shorter than 8 characters, and as a result I had to memorize some funky 14-digit number

        • gmail disallowed passwords shorter than 8 characters
          and as a result I had to memorize some funky 14-digit number

          I fail to see the line of reasoning that prevented you from choosing an 8-character password.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Saved by 123456!

      Take that haxor!

  • by objekt (232270) on Wednesday October 07, 2009 @01:05PM (#29671633) Homepage

    With an extra digit for security! ;-)

    • by Biff Stu (654099) on Wednesday October 07, 2009 @01:09PM (#29671667)

      012345

      • Re: (Score:3, Funny)

        012345

        That's why Microsoft thought "12345" was a reasonably secure password - they figured most hacking and phishing attacks would be coming from Linux or BSD boxes, so those people would never think of starting to count with a "1".

      • by DarthVain (724186)

        Don't you mean: 11000000111001 or 3039

      • And I have a real C programmer's password:

        012345&*M%HJOJNVFGPLkoPWHJrcp,k0cY$PO JO9 P[-97 YTJJY93528 [SIGSEGV detected]

    • Re: (Score:2, Interesting)

      by crunch_ca (972937)
      From the FA, the longest password hacked was: "lafaroleratropezoooooooooooooo" (30 characters).

      This was a phishing attack. The strength of the password didn't matter.

      The article talks about analysis of password data and doesn't really point out anything we didn't know already.

    • by ballpoint (192660) on Wednesday October 07, 2009 @01:57PM (#29672175)
      Mine is 123455. I have appended a checksum digit to make sure I don't enter a wrong password by mistake.
  • 12345? (Score:2, Funny)

    by Zortrium (1251080)
    That's the kind of thing an idiot would have on his luggage!
  • by war4peace (1628283) on Wednesday October 07, 2009 @01:07PM (#29671647)
    See, that's why they got their accounts hacked. I use 67890 on all my accounts so I'm sure they'll never get hacked :)
    • As a hypothetical, since length is really what matters, I wonder how long it would take before something like

      01234567890123 or even 0123456789

      would get guessed?

      My experience is that short passwords (less than 7 chars) are the ones that get guessed, even if they are "good" ones that have a mix of letters, number, and punctuation.

      • by jonbryce (703250)

        If Microsoft use NTLM hashes on their server, then even 14 characters won't be good enough.

  • for which definition of many?

    $ grep gmail pwd.txt | wc -l
    25

  • by Random2 (1412773) on Wednesday October 07, 2009 @01:10PM (#29671679) Journal
    This all sounds a bit....phishy to me.
  • by Kadin2048 (468275) <slashdot.kadin@x[ ].net ['oxy' in gap]> on Wednesday October 07, 2009 @01:10PM (#29671685) Homepage Journal

    All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

    Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

    • That's all very interesting stuff, but even more importantly: how do I know if I've been affected?
    • Re: (Score:3, Informative)

      by Jeng (926980)

      It was an email saying that ones inbox was too full and to reply with username and password to have the limit increased.

    • by CrossChris (806549) on Wednesday October 07, 2009 @01:58PM (#29672189)

      How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?

      It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).

      There's one born every minute.....

      • by jc42 (318812)

        The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used.

        Yeah, and I've been getting phishing messages like that for several years now, at all of my email accounts. So why is it suddenly a big story? Did the MSM reporters just now discover this kind of attack? Or maybe there has been a huge increase in the incidence recently? Or maybe someone at /. just learned about what's been going on for years? I haven't notice

    • From one article which was poorly written I think the plan was this:

      1) From broken email account send to known email connections a note asking to visit cool shopping site
      2) Victim goes to site and keylogger is installed
      3) Sniff userid/password
      4) Go to step 1

      Not much actual phishing here but the article was poorly written and there were hints that they did not really know what was going on, they were just looking at list of broken accounts.

    • by vanyel (28049) * on Wednesday October 07, 2009 @02:34PM (#29672651) Journal

      Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.

      BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...

    • by Havokmon (89874)

      All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

      Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

      I run an email service, and regularly get emails like this:

      From: Support@MyService
      Subject: Service Upgrade

      Please send your password so we can migrate your account to our new servers..

      Everytime it happens I block the sender and recipient addresses, and grep the logs to verify nobody fell for it. If I'm quick enough, it doesn't matter, but people have fallen for it before I see the fake email.

      Rick

    • This might be related [rvdh.ath.cx], seems you can generate emails that appear to come from Google's own mail servers by altering a regular old URL. From there it's a short step to include a phishing site in the body of the email asking the user to verify his account details, or whatever. Maybe other webmail services have similar links.

      I saw the Hotmail version of this phishing mail yesterday, it looks like it comes from an @live.ca address and asks the receiver to verify his account details at a link included in the
  • Ban them. (Score:4, Insightful)

    by Magrovsky (883765) on Wednesday October 07, 2009 @01:30PM (#29671881)
    People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.
    • by Killer Orca (1373645) on Wednesday October 07, 2009 @01:34PM (#29671941)

      People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

      Hey I play with my purple internet buddy each time I go on the computer and have never hurt myself or anyone else!

    • by ibsteve2u (1184603) on Wednesday October 07, 2009 @01:44PM (#29672041)

      People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.

      Didn't they use to call that "AOL"?

    • Re: (Score:3, Insightful)

      by rocketPack (1255456)
      Something tells me that the majority of these accounts were probably never really used. They are probably throw-away emails, created to get that "One day free pass" to various porn sites, or as general spam-traps.

      I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.

      It just
      • by CCFreak2K (930973)
        As AC put it earlier (and got a 0 for it), phishing means everyone listed actually used their e-mail accounts at the time. What you're thinking of is if the databases of these services were somehow cracked...which is not the case.
    • Re: (Score:3, Insightful)

      by ignavus (213578)

      But the problem wasn't their passwords. The problem was that they clicked on a bad link, went to a dangerous site, and typed in their password.

      Their password could have been the most ueber-elite 32 unicode-character password containing symbols from 5 different writing systems. It wouldn't have mattered.

      Give a technological idiot a perfect password, and they will hand it over to the first social engineering attack they meet.

  • Is why it's a "leak" if phishing was the method used to acquire the list. Or why it's still referred to as a "bug". Some sort of bug in the Human OS, right near the gullibility logic loop?

  • ...many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail.

    Phishing is not a "bug". A bug would mean this was some Microsoft developer's fault. There is nothing a developer can do to prevent someone from conning someone else into giving up their password.

    • by jonbryce (703250)

      Their spam filter could do a better job of catching emails that puportedly come from Microsoft but didn't go from their servers.

  • The PC Pro article linked to in the summary misquoted its own source. It claims that "12345" is the most common password, however the source it links to actually shows "123456" as the most common password. "12345" doesn't even make the list.

    There really aren't that many users using those "common" passwords. Only 82 users use the top two passwords, which make up only 0.8% of all the passwords in the list. Only 1.56% of the accounts used a top-10 password.

    The rest of the information at the Acunetix link is qu

    • I wonder how many of the phished credentials were users with a clue entering bogus credentials just to fuck with whoever was trying to scam accounts. It doesn't appear that the phishing page tried to verify that the passwords were valid (much less correct).

  • 31415 (Score:5, Funny)

    by bzzfzz (1542813) on Wednesday October 07, 2009 @02:42PM (#29672793)
    News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

    Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

    • by neurovish (315867)

      News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

      Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

      The slashdot crowd is supposed to be very US centric though...we would never "whinge" about anything.

    • by Karellen (104380)

      There's a version of /. that only contains the interesting stories and actually follows the RFCs?!? How do I sign up without changing my passphrase to something less than 40 characters?

  • Where are "sex", "secret", and "god"? Even love only makes a cameo at #17 in "iloveyou"
  • Perhaps this is the reason that sometime during lunch, my employer (A well known NNSA National Laboratory in New Mexico) blocked access to all things Google, including Gmail, Blogspot, and the Google search engine itself?

(1) Never draw what you can copy. (2) Never copy what you can trace. (3) Never trace what you can cut out and paste down.

Working...