Scammers exploit public lists of hijacked Hotmail passwords
Scams spike after 'free' lists of compromised passwords leak, Websense says
Computerworld - Scammers have grabbed the Hotmail passwords that leaked to the Web and are using them in a plot involving a fake Chinese electronics seller to bilk users out of cash and their credit card information, a security researcher said today.
"We've seen a 30% to 40% increase in these types of spam messages in the last several days," said Patrik Runald, senior manager of Websense's security research team. "By 'these types of spam,' I mean messages that are advertising great consumer electronics bargains, such as cameras and computers."
The messages shill for a fake electronics retailer in China, and provide a link to its site, said Runald, who added that the ensuing domain looks legitimate enough but is simply a front. "They're offering great deals -- MacBook Pros going for $700, when they really cost $1,200 or $1,500," he said of the bogus retailer.
Consumers duped by the scam have reported on Web forums that they never received the goods they ordered. "There are tons of people posting this," claimed Runald. "But it's just a scam. Not only are they out the money they paid [for the non-existing items], but the scammers have their credit card number, their mailing address and everything else they need to make other purchases with the card."
The link to the Hotmail passwords is circumstantial, admitted Runald, but still credible.
"The increase in spam started as these lists became public knowledge," said Runald, who speculated that the scammers had simply taken advantage of the work of other criminals, grabbing the account information from the Web and then using those compromised accounts to send spam. "Since the lists made it into the public domain, they've been piggybacking," he said, of the scammers.
Another clue that hints at a connection between the spam spike and the hijacked Hotmail passwords is the claim consumers have made that they bit on the bogus China retailer scam because they'd received the messages from friends.
"They're saying that they received these messages from friends," said Runald, "but when they get in touch with that friend, he says 'I lost my account details' in the recent phishing attack. So it makes perfect sense that there's a connection."
Other e-mail security firms, however, were not able to confirm Websense's analysis. Google's Postini, for example, said it had not detected any appreciable upswing in spam. Symantec's MessageLabs, meanwhile, said it was unable to dig up data on short notice.
The saga of the compromised accounts started last week, when more than 10,000 Windows Live Hotmail passwords were posted to the Internet. This week, details of another 20,000 Hotmail, Google Gmail and Yahoo Mail accounts went public.
Microsoft and Google have said they have blocked the hijacked accounts, which both companies said were obtained through a wide-scale phishing attack, not through a security breach of their free, Web-based e-mail services.
While experts have urged users to change their e-mail account passwords, other researchers have noted that many of the compromised accounts used easily-guessed passwords, with 123456 and 123456789 as the most common.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts