It started with a report yesterday at Neowin.net stating that it had "received information regarding a possible Windows Live Hotmail 'hack' or phishing scheme where password details of thousands of Hotmail accounts have been posted online."
According to Neowin.net, which has as its slogan, "Where unprofessional journalism looks better," it had seen thousands of account names and passwords that were originally posted 1 October residing on pastebin.com.
Pastebin.com is, its website says, a collaborative debugging tool allowing users to share and modify code snippets while chatting on IRC, IM or a message board.
Microsoft which claims 400 million Hotmail registered users, soon confirmed Neowin.net's story and said that a successful but undisclosed phishing attack apparently had induced thousands of Hotmail members to give up their account and password details. All told, according to this story at the BBC, some 10,028 accounts were compromised beginning with the letters A and B and with email addresses ending in hotmail.com, msn.com and live.com. The compromised accounts, it reported, were predominantly European in origin.
Then this morning, the BBC said that it had seen two lists containing some 30,000 names and passwords involving not only Microsoft Hot mail account information, but that from AOL, Google, and Yahoo as well.
Google told the BBC that Gmail had been hit by an "industry-wide" phishing scheme, but that only 500 of its accounts had been affected. However, the BBC report also said that Google had discovered yet another list but would not say how many names were on it.
In all cases, Microsoft, Yahoo, Google, etc. have taken steps to help account owners who got phished. Microsoft, for instance, said that it was blocking access to compromised Hotmail accounts, and will help users recover their accounts after proving that they are in fact the owners of the account. Google said basically the same thing.
What isn't clear is whether all the victims were from one phish attack or several, and over what time frame the attack or attacks took place.
One thing that has emerged from this event is that many of the Hotmail users who got phished used very simple passwords. A story in PC World said that a security researcher found that "just 6 percent of the Hotmail [phished] passwords contained a mix of letters, numbers and other characters. More than 60 percent were either lower case letters only, or numbers."
The top five passwords were, says PC World, 1. 123456; 2. 123456789; 3. alejandra; 4. 111111 and; 5. alberto.
Based on the predominance of Latin names used as passwords, the researcher believes it was a phishing kit targeting Hispanics and Latinos.
In related phishing news, the San Jose Mercury News reported today that the FBI is investigating an automated phone-call phishing scam that has been targeting banks across the US, including Liberty Bank, Bank of America, Wells Fargo, Citibank and some credit unions.
The phishing calls, the Mercury News reports, say, "Your card has been suspended because we believe it was accessed by a third party. Please press 1 now to be transferred to our security department."
If you press 1, you are then asked to enter your credit/debit card number and personal identification number.
And if you do, you are gaffed as well as gafted.
BTW, I blogged about a study on why people fall for phishing schemes earlier this year that you can read about here.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.