Scammers exploit public lists of hijacked Hotmail passwords

Computerworld - Scammers have grabbed the Hotmail passwords that leaked to the Web and are using them in a plot involving a fake Chinese electronics seller to bilk users out of cash and their credit card information, a security researcher said today.

"We've seen a 30% to 40% increase in these types of spam messages in the last several days," said Patrik Runald, senior manager of Websense's security research team. "By 'these types of spam,' I mean messages that are advertising great consumer electronics bargains, such as cameras and computers."

The messages shill for a fake electronics retailer in China, and provide a link to its site, said Runald, who added that the ensuing domain looks legitimate enough but is simply a front. "They're offering great deals -- MacBook Pros going for $700, when they really cost $1,200 or $1,500," he said of the bogus retailer.

Consumers duped by the scam have reported on Web forums that they never received the goods they ordered. "There are tons of people posting this," claimed Runald. "But it's just a scam. Not only are they out the money they paid [for the non-existing items], but the scammers have their credit card number, their mailing address and everything else they need to make other purchases with the card."

The link to the Hotmail passwords is circumstantial, admitted Runald, but still credible.

"The increase in spam started as these lists became public knowledge," said Runald, who speculated that the scammers had simply taken advantage of the work of other criminals, grabbing the account information from the Web and then using those compromised accounts to send spam. "Since the lists made it into the public domain, they've been piggybacking," he said, of the scammers.

Another clue that hints at a connection between the spam spike and the hijacked Hotmail passwords is the claim consumers have made that they bit on the bogus China retailer scam because they'd received the messages from friends.

"They're saying that they received these messages from friends," said Runald, "but when they get in touch with that friend, he says 'I lost my account details' in the recent phishing attack. So it makes perfect sense that there's a connection."

Other e-mail security firms, however, were not able to confirm Websense's analysis. Google's Postini, for example, said it had not detected any appreciable upswing in spam. Symantec's MessageLabs, meanwhile, said it was unable to dig up data on short notice.

The saga of the compromised accounts started last week, when more than 10,000 Windows Live Hotmail passwords were posted to the Internet. This week, details of another 20,000 Hotmail, Google Gmail and Yahoo Mail accounts went public.

Microsoft and Google have said they have blocked the hijacked accounts, which both companies said were obtained through a wide-scale phishing attack, not through a security breach of their free, Web-based e-mail services.

While experts have urged users to change their e-mail account passwords, other researchers have noted that many of the compromised accounts used easily-guessed passwords, with 123456 and 123456789 as the most common.

Read more about security in Computerworld's Security Knowledge Center.