An
online scam which led to thousands of ill-gotten
Hotmail,
Gmail, Yahoo and
other webmail account names and passwords being posted to the web
may be the work of botnets, rather than a phishing operation.
According to Mary Landesman, senior security researcher with San
Fransciso-based ScanSafe,
the actual logs "contain michellaneous mistakes that wouldn't
appear with a phishing scam". Several different versions of
addresses and other information appeared which looked like everyday
typos, she said.
Logs of phishing scams usually contain abusive messages from
users who realise that they are being phished, and that this wasn't
the case in this instance. The sheer number of compromised
accounts, now over 30,000, was also at odds with the typically low
hit rate of phishing scams, she said.
"Data theft accounts for a good proportion of the
information."
Landesman found some 5,000 Windows Live ID username / password
combinations within the cash, leading her to conclude the attack
was the result of keylogging or data theft rather than
phishing.
The sheer number of compromised accounts was at odds with the
typically low hit rate of phishing scams, she said.
The findings contradict statements by Google and Microsoft who
both sought to dispel any ideas of an internal security breach.
The fact that those address have been posted all over the web
with untold numbers of fraudsters and scammers now seeing fresh
opportunities to dupe people, is a cause for concern, said
Landesman
"This is like payday for the scammers; these addresses are now
exposed to the whole world," she said.
Reports began to surface yesterday, for instance that affected
webmail users have been inundated with phishing emails including
one purporting to be from an
electronics retailer based in
China, which has already duped people out of money and credit
card details. Many victims were tricked after receiving emails
purporting to be from friends or colleagues recommending the
site.
"Those victims of this webmail scam will have a much higher
incidence of bogus emails and so will all the people on thier
contact lists," Landesman said.
Other security researchers argue that the leaked email accounts
were the result of phishing. An
analysis by US security researcher Bogdan Calin, CTO of
security company Acunetix, suggests that many of the leaked
passwords used easily guessable strings of numbers or letters.
Read Landesman's latest blog
on this webmail scam