Mail-Jacking

On Monday, we began to hear reports that a large number of Microsoft Windows Live / Hotmail Web E-mail accounts had been compromised.  This was subsequently confirmed by Microsoft:

Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers.

…

As of 3pm PT: We want to provide a quick update, that as a result of our investigation we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts.

On Tuesday, it became apparent that this phishing attack had not just targeted Hotmail.  The BBC reported that other online E-mail services, including those of AOL, Yahoo!, and Google, were also affected:

Google’s web-based e-mail system, Gmail, has been targeted as part of an “industry-wide phishing scheme”.

The firm said that it had immediately safeguarded the affected accounts.

BBC News has seen two lists that detail more than 30,000 names and passwords from e-mail providers, including Yahoo and AOL, which were posted online.

The attack does not appear to have breached the security of any of the services directly; rather, it used E-mails and other messages to direct users to malicious Web sites that were set up to look like the genuine E-mail sites, but actually were meant to steal users’ passwords and other login credentials.

These tricks are essentially so-called “social engineering” attacks: they work by tricking the user, not by exploiting a technical vulnerability.  As such, they are preventable if users are appropriately cautious.  Here are some DOs and DON’Ts from the SANS Institute:

• Do change your passwords on a regular basis (every six months or so)
• Do use long complex pass-phrases rather than passwords where you can
• Do change all of your passwords if you notice something suspicious
• Do take identity theft seriously
• Do use up-to-date anti-virus and a firewall
• Do NOT click on links in emails, ever
• Do NOT use the same password at multiple sites

An astonishing number of users still have very silly, easily guessed passwords.  For example, the security firm Acunetix did an analysis of the leaked Hotmail passwords; the most common was ‘123456’.

Brian Krebs of the Washington Post, in his “Security Fix” blog, has an article about this incident with some further good advice on choosing and managing passwords.