Massive Phishing Campaign Hits Multiple Email Services

nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."

Re:Wow!

[Yvan256]

You destroyed the joke thread by starting at the end.

You should have started with "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

Where are the details?

[Kadin2048]

All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

Re:Where are the details?

[royallthefourth]

> ...how do I know if I've been affected?

Are you a fool? If not you are ok.

If the source is something like DNS poisoning, then it's not that simple. I already know my ISP to be a bunch of fools, but I have little choice in that matter.

Re:Where are the details?

[MeBot]

Your advice is not helpful. What percentage of fools think they are fools?

Re:Wow!

lol

But seriously, what kind of chickenshit mail server policy even allows that password in the first place?

OH... hotmail.. enough said...

Preaching to the church

[HNS-I]

I know I'm preaching to the church but a good way to make a password is to make up a sentence and take each first letter, convert some to capitals and numbers and you will never ever forget it.

It is like a walk in the park. iilawitp iiLawitp iiL4wi7p voila!

Ban them.

[Magrovsky]

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

Re:Ban them.

[rocketPack]

Something tells me that the majority of these accounts were probably never really used. They are probably throw-away emails, created to get that "One day free pass" to various porn sites, or as general spam-traps.

I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.

It just seems irresponsible to have such a lack of control over these kinds of things...

Re:Ban them.

[ignavus]

But the problem wasn't their passwords. The problem was that they clicked on a bad link, went to a dangerous site, and typed in their password.

Their password could have been the most ueber-elite 32 unicode-character password containing symbols from 5 different writing systems. It wouldn't have mattered.

Give a technological idiot a perfect password, and they will hand it over to the first social engineering attack they meet.

Re:Wow!

[jpmorgan]

I'm sure most /.ers actually filled that part in mentally when they read the summary.