Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Phishing Campaign Hits Multiple Email Services

Posted by Soulskill on from the nowhere-to-run-to-baby dept.

nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."

16 of 183 comments (clear)

  1. Wow! by Anonymous Coward · · Score: 5, Funny

    An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.'

    That's amazing. I've got the same combination on my luggage.

    1. Re:Wow! by clone53421 · · Score: 4, Informative

      From the blog of the guy who actually did the research, I'm deducing that those probably weren't valid password.

      An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin.

      ...Even more, the phishing kit used most probably was badly designed, since it was one that didnâ(TM)t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.

        * The list initially contained 10,028 entries.
        * After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
        * There are 8931 (90%) unique passwords in the list.
        * The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
        * The shortest password was 1 char long : )

      In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).

      tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  2. HA! My password is 123456 by objekt · · Score: 4, Funny

    With an extra digit for security! ;-)

    --
    -- Boycott Shell
    1. Re:HA! My password is 123456 by ballpoint · · Score: 4, Funny

      Mine is 123455. I have appended a checksum digit to make sure I don't enter a wrong password by mistake.

      --
      Flourescent (adj): smelling like ground wheat.
  3. I have a real programmer's password by Biff+Stu · · Score: 4, Funny

    012345

  4. I don't know.... by Random2 · · Score: 4, Funny

    This all sounds a bit....phishy to me.

    --
    "Our goal each year should be to increase the number of goals we set for ourselves!"
  5. Where are the details? by Kadin2048 · · Score: 5, Insightful

    All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

    Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:Where are the details? by jim_v2000 · · Score: 4, Funny

      Ah, but only a great fool would fall for such an attack, and I am no great fool, so clearly I cannot click the link. But you must know that I am no great fool and thus I cannot not click the link....

      --
      Don't take life so seriously. No one makes it out alive.
    2. Re:Where are the details? by CrossChris · · Score: 5, Informative

      How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?

      It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).

      There's one born every minute.....

    3. Re:Where are the details? by vanyel · · Score: 4, Interesting

      Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.

      BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...

  6. Remind me by Dareth · · Score: 4, Funny

    "Remind me to change the password on my luggage!"

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  7. Ban them. by Magrovsky · · Score: 4, Insightful

    People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

    1. Re:Ban them. by ibsteve2u · · Score: 5, Funny

      People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.

      Didn't they use to call that "AOL"?

      --
      Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  8. Re:Preaching to the church by TheRaven64 · · Score: 4, Interesting
    For your example, you might consider using a park that has some significance to you and capitalise the proper nouns, and numbers that actually make sense, to get something that is easier to remember. For example:

    'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

    --
    I am TheRaven on Soylent News
  9. Re:Preaching to the church by clone53421 · · Score: 4, Informative

    And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember,

    Real grammar nazis also know that it wasn't a sentence.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  10. 31415 by bzzfzz · · Score: 5, Funny
    News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

    Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.