Home / Blogs

Yahoo, Gmail, Hotmail Compromised - But How?

Terry Zink

One of the bigger news stories is that of 10,000 usernames and passwords of Hotmail users were posted this past week, victims of a phishing scam. From Computerworld:

If (technology blog) Neowin's account is accurate, the Hotmail hack or phishing attack would be one of the largest suffered by a Web-based e-mail service.

Last year, a Tennessee college student was accused of breaking into former Alaska governor Sarah Palin's Yahoo Mail account in the run-up to the U.S. presidential election. Palin, the Republican vice presidential nominee at the time, lost control of her personal account when someone identified only as "rubico" reset her password after guessing answers to several security questions.

Shortly after the Palin account hijack, Computerworld confirmed that the automated password-reset mechanisms used by Hotmail, Yahoo Mail and Google's Gmail could be abused by anyone who knew an account's username and could answer a single security question.

The BBC reports that Gmail and Yahoo were also targeted.

It seems unlikely to me that this would be a hack where someone would break into Hotmail's servers and access the account information that way. It is much more likely that the spammers got the information by social engineering. Why is this more likely? For one, they'd have to get past all of the firewalls and security measures that Microsoft/Hotmail have to keep intruders out. While not impossible, it is not easy.

But secondly, even if a hacker/spammer were to break in and steal the account information, it is very unlikely that they could access the associated passwords. Passwords are not stored in clear-text, they are stored encrypted using a one-way hash. Actually, firms with good security store them this way; while I don't work in Hotmail, I am pretty certain that they would do the same because it is standard Microsoft policy. The point is that a hacker couldn't get a user's password because all he would have access to is a text string that wouldn't work when entering it into the web portal. This suggests that the spammer tricked the user into handing over their user account and password through some other mechanism.

Whilst I suspect social engineering, I do not suspect security-question guessing. Note that while vice-presidential candidate Sarah Palin had her account hacked by somebody guessing her login information, this is not a scalable model for spammers. Palin is well known and you could possibly guess her information simply by reading about her online. But to access 10,000 accounts that way is too time consuming and the people you are hacking are unknown to you. You wouldn't be able to guess their information, other than by chance. Random guessing is useless.

So how did this hacker acquire this information?

The general consensus is that these were victims of phishing scams, most likely involving social engineering. It would look something like this: the Hotmail user receives a spam message in their inbox, probably a message that looks like it is coming from Windows Live. There is some call to action wherein the spammer says that Hotmail is upgrading their infrastructure and requires users to login to their account and verify their credentials. Furthermore, there was probably some bot attack that broke Hotmail's CAPTCHA service on the sign up page, so these spam messages were sent from Hotmail internally. These types of spams can be more difficult to filter than when it comes from another service. So we have Hotmail users spamming Hotmail users, possibly with a From: address like "Windows Live Mail Security <live.security.something@...>". Some users did not recognize that this was a phishing scam, entered in their credentials and the damage was done.

That's one likely scenario.

The problem is that there are so many other possible attack vectors. Here's one: spammers don't have to target Hotmail users via a phishing scam. Notice that not only Hotmail users surrendered their credentials, so did Yahoo and Google users. You don't have to fall victim to a phishing scam. A hacker would have a difficult time hacking Yahoo, Google and Microsoft directly, but what if they attacked an online discussion forum? Or a blogging service? Many websites around the internet allow you to login to their websites using your email address as the username. How many people use their email address… and also use the same password? If a hacker were to break into an online forum, one with much less security, they could count on the fact that users tend to reuse usernames and passwords. Hackers get to take advantages of statistics - given enough people, some of them will be hits (i.e., same username/password combination).

BBC News confirmed that the accounts are genuine and predominantly originate in Europe, so I'm willing to bet that some discussion forum in Europe had its users usernames and passwords stored in clear-text and were broken into, and information stolen. They then went and verified which ones unlocked the users' accounts and discarded the rest. They then posted them online for all to see.

But that's not the only possibility. According to the Microsoft Security and Intelligence Report, the rates of piracy in eastern Europe are higher than western Europe and the United States. So, if BBC News confirmed that the accounts are predominantly in eastern Europe, what if the following occurred:

Some users, running older copies of Windows XP were downloading music and happened to download rogue software. These users don't always keep their systems up-to-date, so the rogue software sat around on their computer for a while. It is designed to capture login information to major web portals, so when these users then check their web mail, it is captured by the virus and relayed back to the command center.

I admit that scenario is much more far-fetched and less likely than the other two. But the point is that the attack vector for how this could have occurred is very wide and tracking it down to its source is quite difficult, indeed.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cybercrime, Cybersecurity, Email, Spam

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

Exactly... Joseph A'Deo  –  Oct 09, 2009 1:16 PM PDT

How many people use their email address… and also use the same password? If a hacker were to break into an online forum, one with much less security, they could count on the fact that users tend to reuse usernames and passwords.

Exactly, which is why we've been pushing (I work @ VeriSign) for encryption solutions and consumer protection devices like two-factor authentication to be seen as a necessity wherever private information is being used (be it a routing number or a simple log-in credential). If all those hotmail accounts had required a token to authenticate, the leak would have been a non-issue.

In the meantime, however, obviously the solution is to vary passwords and be on the look out for phishing attempts, but where forums are concerned it's tricky business. Maybe some kind of standard, federally mandated log-in system is the answer, as "big brother" as it sounds.

Joseph,Your post underplays the importance of education Alex Tajirian  –  Oct 10, 2009 9:57 AM PDT

Joseph,

Your post underplays the importance of education and ignores risk management.

Education on the customer side involves differentiating between phishing and legitimate emails. Phishing solutions and discourse have emphasized the former. Nevertheless, eBay or your bank can legitimately send you an email about a credit card discrepancy. However, the emphasis on phishing can automatically lead to deleting such email, which can be hazardeous to your health.

Risk management at the corporate level has to first answer whether to secure or insure. Nevertheless, implementation requires education and coordination.

Last scenario may be most likely not least likely Kerry Brown  –  Oct 10, 2009 8:00 AM PDT

A lot of malware looks for logon screens and passwords.

http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year