One of the bigger news stories is that of 10,000 usernames and passwords of Hotmail users were posted this past week, victims of a phishing scam. From Computerworld:

If (technology blog) Neowin’s account is accurate, the Hotmail hack or phishing attack would be one of the largest suffered by a Web-based e-mail service.

Last year, a Tennessee college student was accused of breaking into former Alaska governor Sarah Palin’s Yahoo Mail account in the run-up to the U.S. presidential election. Palin, the Republican vice presidential nominee at the time, lost control of her personal account when someone identified only as “rubico” reset her password after guessing answers to several security questions.

Shortly after the Palin account hijack, Computerworld confirmed that the automated password-reset mechanisms used by Hotmail, Yahoo Mail and Google’s Gmail could be abused by anyone who knew an account’s username and could answer a single security question.

The BBC reports that Gmail and Yahoo were also targeted.

It seems unlikely to me that this would be a hack where someone would break into Hotmail’s servers and access the account information that way. It is much more likely that the spammers got the information by social engineering. Why is this more likely? For one, they’d have to get past all of the firewalls and security measures that Microsoft/Hotmail have to keep intruders out. While not impossible, it is not easy.

But secondly, even if a hacker/spammer were to break in and steal the account information, it is very unlikely that they could access the associated passwords. Passwords are not stored in clear-text, they are stored encrypted using a one-way hash. Actually, firms with good security store them this way; while I don’t work in Hotmail, I am pretty certain that they would do the same because it is standard Microsoft policy. The point is that a hacker couldn’t get a user’s password because all he would have access to is a text string that wouldn’t work when entering it into the web portal. This suggests that the spammer tricked the user into handing over their user account and password through some other mechanism.

Whilst I suspect social engineering, I do not suspect security-question guessing. Note that while vice-presidential candidate Sarah Palin had her account hacked by somebody guessing her login information, this is not a scalable model for spammers. Palin is well known and you could possibly guess her information simply by reading about her online. But to access 10,000 accounts that way is too time consuming and the people you are hacking are unknown to you. You wouldn’t be able to guess their information, other than by chance. Random guessing is useless.

So how did this hacker acquire this information?

The general consensus is that these were victims of phishing scams, most likely involving social engineering. It would look something like this: the Hotmail user receives a spam message in their inbox, probably a message that looks like it is coming from Windows Live. There is some call to action wherein the spammer says that Hotmail is upgrading their infrastructure and requires users to login to their account and verify their credentials. Furthermore, there was probably some bot attack that broke Hotmail’s CAPTCHA service on the sign up page, so these spam messages were sent from Hotmail internally. These types of spams can be more difficult to filter than when it comes from another service. So we have Hotmail users spamming Hotmail users, possibly with a From: address like “Windows Live Mail Security <live.security.something@...>”. Some users did not recognize that this was a phishing scam, entered in their credentials and the damage was done.

That’s one likely scenario.

The problem is that there are so many other possible attack vectors. Here’s one: spammers don’t have to target Hotmail users via a phishing scam. Notice that not only Hotmail users surrendered their credentials, so did Yahoo and Google users. You don’t have to fall victim to a phishing scam. A hacker would have a difficult time hacking Yahoo, Google and Microsoft directly, but what if they attacked an online discussion forum? Or a blogging service? Many websites around the internet allow you to login to their websites using your email address as the username. How many people use their email address… and also use the same password? If a hacker were to break into an online forum, one with much less security, they could count on the fact that users tend to reuse usernames and passwords. Hackers get to take advantages of statistics - given enough people, some of them will be hits (i.e., same username/password combination).

BBC News confirmed that the accounts are genuine and predominantly originate in Europe, so I’m willing to bet that some discussion forum in Europe had its users usernames and passwords stored in clear-text and were broken into, and information stolen. They then went and verified which ones unlocked the users’ accounts and discarded the rest. They then posted them online for all to see.

But that’s not the only possibility. According to the Microsoft Security and Intelligence Report, the rates of piracy in eastern Europe are higher than western Europe and the United States. So, if BBC News confirmed that the accounts are predominantly in eastern Europe, what if the following occurred:

Some users, running older copies of Windows XP were downloading music and happened to download rogue software. These users don’t always keep their systems up-to-date, so the rogue software sat around on their computer for a while. It is designed to capture login information to major web portals, so when these users then check their web mail, it is captured by the virus and relayed back to the command center.

I admit that scenario is much more far-fetched and less likely than the other two. But the point is that the attack vector for how this could have occurred is very wide and tracking it down to its source is quite difficult, indeed.