An online scam which led to thousands of ill-gotten Hotmail, Gmail, Yahoo and other webmail account names and passwords being posted to the web may be the work of botnets, rather than a phishing operation.
According to Mary Landesman, senior security researcher with San Fransciso-based ScanSafe, the actual logs "contain michellaneous mistakes that wouldn't appear with a phishing scam". Several different versions of addresses and other information appeared which looked like everyday typos, she said.
Logs of phishing scams usually contain abusive messages from users who realise that they are being phished, and that this wasn't the case in this instance. The sheer number of compromised accounts, now over 30,000, was also at odds with the typically low hit rate of phishing scams, she said.
"Data theft accounts for a good proportion of the information."
Landesman found some 5,000 Windows Live ID username / password combinations within the cash, leading her to conclude the attack was the result of keylogging or data theft rather than phishing.
The sheer number of compromised accounts was at odds with the typically low hit rate of phishing scams, she said.
The findings contradict statements by Google and Microsoft who both sought to dispel any ideas of an internal security breach.
The fact that those address have been posted all over the web with untold numbers of fraudsters and scammers now seeing fresh opportunities to dupe people, is a cause for concern, said Landesman
"This is like payday for the scammers; these addresses are now exposed to the whole world," she said.
Reports began to surface yesterday, for instance that affected webmail users have been inundated with phishing emails including one purporting to be from an electronics retailer based in China, which has already duped people out of money and credit card details. Many victims were tricked after receiving emails purporting to be from friends or colleagues recommending the site.
"Those victims of this webmail scam will have a much higher incidence of bogus emails and so will all the people on thier contact lists," Landesman said.
Other security researchers argue that the leaked email accounts were the result of phishing. An analysis by US security researcher Bogdan Calin, CTO of security company Acunetix, suggests that many of the leaked passwords used easily guessable strings of numbers or letters.
Read Landesman's latest blog on this webmail scam