Supposed HotMail Accounts Compromise

[Farelf]

Thanks to "Ed Metcalfe", grc.techtalk for the heads-up:

http://news.bbc.co.uk/2/hi/technology/8291268.stm

...Thousands of accounts on web-based e-mail system Hotmail have been compromised in a phishing attack, software giant Microsoft has confirmed.

BBC News has seen a list of more than 10,000 e-mail accounts, predominantly originating from Europe, and passwords which were posted online. ... The list included details of Microsoft's Windows Live Hotmail accounts with email addresses ending hotmail.com, msn.com and live.com. ...

The list of 10,000 was merely of those with names beginning with the letters A and B. It included their passwords. The implication is there is probably a complete list out there somewhere.

[Geek]

OUCH!

Glad I don't use that service.

Cheers!

[Farelf]

...Glad I don't use that service.

Yes, but it can happen to anyone who replies to phishing mails or downloads trojan loaders, key loggers, etc . But publishing the list on the internet is a little 'different' to the way things usually go. At least that provides a 'heads up' to HotMail (etc.) users. Sort of. That leaves the rest of us and I wonder how confident we can be that it was 'only' HotMail targeted? More on the HotMail situation:

More at: http://www.theregister.co.uk/2009/10/05/ho...sswords_leaked/

Caches of the A-B list were available fairly briefly widely the internet, some of those are gone now - but others remain. Seems the list was originally posted in pastebin.com which seems straight enough (just misused?).

It is always a bit useful to search for your own email address on the internet - one never knows without looking...

[Miss Betsy]

Out of curiosity, I checked my email accounts. One hotmail account that was established in 2002 has one spamcop entry. It was going to be a throwaway account, but when I discovered how to post with an invalid email address, I stopped using it. It didn't get any spam either (except when I mentioned it in a post when someone immediately sent a spam!) so I have continued to use it. When the spam spiked a few months ago, there were a few 419s to it. I also have another one that was used deliberately for manual reports to spammers in case I got the spammer himself - which I did on a couple of occasions. I could not convince one organization that I did not want my email address published on the web so now that's my 'online' account. Before hotmail got a handle of filters, it had an incredible volume of spam and still gets some almost every day. I have a transfer/forward hotmail account that is not published anywhere and neither is my isp email account. And then, there is my Red Cross account - it has almost a page of entries because I don't know how to publish it without being scraped.

Of course, since I don't how many hundreds of spam are dumped by hotmail - especially for the one that is still published, I don't know how much nuisance it is to have it published still. I really don't see how spam is worth anything to anyone anymore. There just can't be that many idiots out there! Though I admit that I did a really dumb thing recently when my brain was affected - crossing my fingers that I was able to undo it.

Miss Betsy

[agsteele]

Caches of the A-B list were available fairly briefly widely the internet, some of those are gone now - but others remain. Seems the list was originally posted in pastebin.com which seems straight enough (just misused?).

It is always a bit useful to search for your own email address on the internet - one never knows without looking...

Well it seems that the issue is much more widespread with other free Email providers reporting the issue (including Google, Yahoo! and AOL) - http://news.bbc.co.uk/1/hi/technology/8292299.stm

Andrew

[Farelf]

And yet more:

http://www.dailymail.co.uk/news/article-12...ted-online.html

...Around 10,000 passwords were obtained by hackers who created a fake website identical to Hotmail's to fool users into entering their email address and password in a 'phishing' scam. ...

Now the BBC claims that another list of over 30,000 email addresses and passwords is circulating, which contains the details for Gmail, Yahoo! Mail, AOL, Comcast and Earthlink accounts.

The latest list was posted on Pastebin.com, the same website to which the Hotmail list was originally uploaded.

The site, which is intended for web developers to share code, has since been taken down for maintenance. ...

So, seems like the old, "follow the handy link in this email to amend your account details ..." trick. Who can even begin to guess why the lists are being published? The effect is to shine a spotlight on the whole nefarious enterprise and so sabotage any criminal plans for the data that there may have been. A white hat h4x0r, or one who has had a serious disagreement with his former associates, or ... endless possibilities - but it is about the best thing that could follow a phishing expedition in any event.

[Farelf]

...So, seems like the old, "follow the handy link in this email to amend your account details ..." trick. ...

From which few, if any, are ever completely safe. Lest 'smug superiority' and other forms of hubris undermine the constant vigilance required for even partial immunity, I see user 'The Other Guy' in grc.security pointing to this cautionary tale: FBI Chief Almost Falls For Phishing Scheme, Wife Bans Him From Online Banking. Maybe that's just apocryphal, or a 'team hit' for the greater good, but the seriousness of the message cannot be disputed.