Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Phishing Campaign Hits Multiple Email Services

Posted by Soulskill on from the nowhere-to-run-to-baby dept.

nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."

38 of 183 comments (clear)

  1. Wow! by Anonymous Coward · · Score: 5, Funny

    An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.'

    That's amazing. I've got the same combination on my luggage.

    1. Re:Wow! by Anonymous Coward · · Score: 3, Insightful

      lol

      But seriously, what kind of chickenshit mail server policy even allows that password in the first place?

      OH... hotmail.. enough said...

    2. Re:Wow! by Anonymous Coward · · Score: 2, Funny

      Saved by 123456!

      Take that haxor!

    3. Re:Wow! by jpmorgan · · Score: 3, Insightful

      I'm sure most /.ers actually filled that part in mentally when they read the summary.

    4. Re:Wow! by Havokmon · · Score: 2, Funny

      So he top posted. How appropriate.

      --
      "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
    5. Re:Wow! by clone53421 · · Score: 4, Informative

      From the blog of the guy who actually did the research, I'm deducing that those probably weren't valid password.

      An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin.

      ...Even more, the phishing kit used most probably was badly designed, since it was one that didnâ(TM)t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.

        * The list initially contained 10,028 entries.
        * After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
        * There are 8931 (90%) unique passwords in the list.
        * The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
        * The shortest password was 1 char long : )

      In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).

      tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  2. HA! My password is 123456 by objekt · · Score: 4, Funny

    With an extra digit for security! ;-)

    --
    -- Boycott Shell
    1. Re:HA! My password is 123456 by crunch_ca · · Score: 2, Interesting
      From the FA, the longest password hacked was: "lafaroleratropezoooooooooooooo" (30 characters).

      This was a phishing attack. The strength of the password didn't matter.

      The article talks about analysis of password data and doesn't really point out anything we didn't know already.

    2. Re:HA! My password is 123456 by ballpoint · · Score: 4, Funny

      Mine is 123455. I have appended a checksum digit to make sure I don't enter a wrong password by mistake.

      --
      Flourescent (adj): smelling like ground wheat.
  3. 12345? by Zortrium · · Score: 2, Funny

    That's the kind of thing an idiot would have on his luggage!

    1. Re:12345? by FJGreer · · Score: 2, Funny

      But that's what's on my luggage!

      --
      Behold! Uh, what was I going to say?
  4. Strong password by war4peace · · Score: 3, Funny

    See, that's why they got their accounts hacked. I use 67890 on all my accounts so I'm sure they'll never get hacked :)

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  5. I have a real programmer's password by Biff+Stu · · Score: 4, Funny

    012345

    1. Re:I have a real programmer's password by 93+Escort+Wagon · · Score: 2, Funny

      012345

      That's why Microsoft thought "12345" was a reasonably secure password - they figured most hacking and phishing attacks would be coming from Linux or BSD boxes, so those people would never think of starting to count with a "1".

      --
      #DeleteChrome
  6. I don't know.... by Random2 · · Score: 4, Funny

    This all sounds a bit....phishy to me.

    --
    "Our goal each year should be to increase the number of goals we set for ourselves!"
  7. Where are the details? by Kadin2048 · · Score: 5, Insightful

    All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

    Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:Where are the details? by John+Hasler · · Score: 3, Funny

      > ...how do I know if I've been affected?

      Are you a fool? If not you are ok.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Where are the details? by royallthefourth · · Score: 3, Insightful

      > ...how do I know if I've been affected?

      Are you a fool? If not you are ok.

      If the source is something like DNS poisoning, then it's not that simple. I already know my ISP to be a bunch of fools, but I have little choice in that matter.

    3. Re:Where are the details? by MeBot · · Score: 2, Insightful

      Your advice is not helpful. What percentage of fools think they are fools?

    4. Re:Where are the details? by Jeng · · Score: 2, Informative

      It was an email saying that ones inbox was too full and to reply with username and password to have the limit increased.

      --
      Don't know something? Look it up. Still don't know? Then ask.
    5. Re:Where are the details? by jim_v2000 · · Score: 4, Funny

      Ah, but only a great fool would fall for such an attack, and I am no great fool, so clearly I cannot click the link. But you must know that I am no great fool and thus I cannot not click the link....

      --
      Don't take life so seriously. No one makes it out alive.
    6. Re:Where are the details? by CrossChris · · Score: 5, Informative

      How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?

      It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).

      There's one born every minute.....

    7. Re:Where are the details? by vanyel · · Score: 4, Interesting

      Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.

      BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...

  8. Remind me by Dareth · · Score: 4, Funny

    "Remind me to change the password on my luggage!"

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  9. Ban them. by Magrovsky · · Score: 4, Insightful

    People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

    1. Re:Ban them. by Killer+Orca · · Score: 3, Funny

      People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

      Hey I play with my purple internet buddy each time I go on the computer and have never hurt myself or anyone else!

    2. Re:Ban them. by ibsteve2u · · Score: 5, Funny

      People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.

      Didn't they use to call that "AOL"?

      --
      Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
    3. Re:Ban them. by rocketPack · · Score: 2, Insightful

      Something tells me that the majority of these accounts were probably never really used. They are probably throw-away emails, created to get that "One day free pass" to various porn sites, or as general spam-traps.

      I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.

      It just seems irresponsible to have such a lack of control over these kinds of things...

    4. Re:Ban them. by ignavus · · Score: 2, Insightful

      But the problem wasn't their passwords. The problem was that they clicked on a bad link, went to a dangerous site, and typed in their password.

      Their password could have been the most ueber-elite 32 unicode-character password containing symbols from 5 different writing systems. It wouldn't have mattered.

      Give a technological idiot a perfect password, and they will hand it over to the first social engineering attack they meet.

      --
      I am anarch of all I survey.
  10. Re:Preaching to the church by TheRaven64 · · Score: 4, Interesting
    For your example, you might consider using a park that has some significance to you and capitalise the proper nouns, and numbers that actually make sense, to get something that is easier to remember. For example:

    'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

    --
    I am TheRaven on Soylent News
  11. Re:Top 20 Passwords by Teun · · Score: 2, Interesting

    Which tells me there is an unusual number of Latino users among the 10K.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  12. Re:Preaching to the church by clone53421 · · Score: 4, Informative

    And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember,

    Real grammar nazis also know that it wasn't a sentence.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  13. Re:Unencrypted passwords? by 4D6963 · · Score: 2, Informative

    Huh??? I thought that was collected by phishing? Yeah, sorry for getting in the way of your ritual MS bashing, but it's something that can affect any service since it's essentially social engineering. Kind of.

    --
    You just got troll'd!
  14. Re:Preaching to the church by Anonymous Coward · · Score: 2, Funny

    Real grammar nazis also know that it wasn't a sentence.

    I love you. Will you marry an anonymous coward?

  15. Re:Preaching to the church by clone53421 · · Score: 2, Funny

    Your Relationship with Anonymous Coward (666)
    Sorry, this is not an option.

    Doesn't look like it. Sorry.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  16. Re:Preaching to the church by TheRaven64 · · Score: 2, Interesting

    With the Psion Series 3, you could enter characters by their ASCII code (no unicode, this was 1993) by holding down a modifier. I thought this would be great for a password; no one would ever guess that they had to hold down a modifier while entering some digits in the middle of the password. It turned out that the password entry box in the settings pane did, indeed, allow this kind of thing. Unfortunately, the first time I locked the device afterwards, I discovered that the password entry box for unlocking did not. That said, I haven't come across anything for a long time that didn't allow upper and lower case and numeric fields (although some discarded the case information). A few don't allow non-alphanumerics, but it's easy to just omit them from the passwords for those sites.

    --
    I am TheRaven on Soylent News
  17. 31415 by bzzfzz · · Score: 5, Funny
    News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

    Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

  18. Re:What I don't get... by John+Hasler · · Score: 2, Funny

    > The fact that it's a free email account shouldn't mean you're allowed to set
    > your password to *anything* you want.

    And one of the things you should not be able to set it to is anything anyone else has already used. In other words, on these systems passwords should be unique.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.