Mail-Jacking Scheme Reported

Tuesday May 22, 2012

	Mail-Jacking Scheme Reported by Rich Wednesday, October 07, 2009 at 10:07 PM EDT On Monday, we began to hear reports that a large number of Microsoft Windows Live / Hotmail Web E-mail accounts had been compromised. This was subsequently confirmed by Microsoft: Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. … As of 3pm PT: We want to provide a quick update, that as a result of our investigation we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts. On Tuesday, it became apparent that this phishing attack had not just targeted Hotmail. The BBC reported that other online E-mail services, including those of AOL, Yahoo!, and Google, were also affected: Google’s web-based e-mail system, Gmail, has been targeted as part of an “industry-wide phishing scheme”. The firm said that it had immediately safeguarded the affected accounts. BBC News has seen two lists that detail more than 30,000 names and passwords from e-mail providers, including Yahoo and AOL, which were posted online. The attack does not appear to have breached the security of any of the services directly; rather, it used E-mails and other messages to direct users to malicious Web sites that were set up to look like the genuine E-mail sites, but actually were meant to steal users’ passwords and other login credentials. These tricks are essentially so-called “social engineering” attacks: they work by tricking the user, not by exploiting a technical vulnerability. As such, they are preventable if users are appropriately cautious. Here are some DOs and DON’Ts from the SANS Institute: Do change your passwords on a regular basis (every six months or so) Do use long complex pass-phrases rather than passwords where you can Do change all of your passwords if you notice something suspicious Do take identity theft seriously Do use up-to-date anti-virus and a firewall Do NOT click on links in emails, ever Do NOT use the same password at multiple sites An astonishing number of users still have very silly, easily guessed passwords. For example, the security firm Acunetix did an analysis of the leaked Hotmail passwords; the most common was ‘123456′. Brian Krebs of the Washington Post, in his “Security Fix” blog, has an article about this incident with some further good advice on choosing and managing passwords. This article originally appeared on Rich's Random Walks.
Home \| Masthead \| Archive \| RSS Feed \| RSS-Spec \| Published by World Readable

by Rich

Wednesday, October 07, 2009 at 10:07 PM EDT

This article originally appeared on Rich's Random Walks.