Scammers exploit public lists of hijacked Hotmail passwords
Scams spike after 'free' lists of compromised passwords leak, Websense says
Computerworld - Scammers have grabbed the Hotmail passwords that leaked to the Web and are using them in a plot involving a fake Chinese electronics seller to bilk users out of cash and their credit card information, a security researcher said today.
"We've seen a 30% to 40% increase in these types of spam messages in the last several days," said Patrik Runald, senior manager of Websense's security research team. "By 'these types of spam,' I mean messages that are advertising great consumer electronics bargains, such as cameras and computers."
The messages shill for a fake electronics retailer in China, and provide a link to its site, said Runald, who added that the ensuing domain looks legitimate enough but is simply a front. "They're offering great deals -- MacBook Pros going for $700, when they really cost $1,200 or $1,500," he said of the bogus retailer.
Consumers duped by the scam have reported on Web forums that they never received the goods they ordered. "There are tons of people posting this," claimed Runald. "But it's just a scam. Not only are they out the money they paid [for the non-existing items], but the scammers have their credit card number, their mailing address and everything else they need to make other purchases with the card."
The link to the Hotmail passwords is circumstantial, admitted Runald, but still credible.
"The increase in spam started as these lists became public knowledge," said Runald, who speculated that the scammers had simply taken advantage of the work of other criminals, grabbing the account information from the Web and then using those compromised accounts to send spam. "Since the lists made it into the public domain, they've been piggybacking," he said, of the scammers.
Another clue that hints at a connection between the spam spike and the hijacked Hotmail passwords is the claim consumers have made that they bit on the bogus China retailer scam because they'd received the messages from friends.
"They're saying that they received these messages from friends," said Runald, "but when they get in touch with that friend, he says 'I lost my account details' in the recent phishing attack. So it makes perfect sense that there's a connection."
Other e-mail security firms, however, were not able to confirm Websense's analysis. Google's Postini, for example, said it had not detected any appreciable upswing in spam. Symantec's MessageLabs, meanwhile, said it was unable to dig up data on short notice.
The saga of the compromised accounts started last week, when more than 10,000 Windows Live Hotmail passwords were posted to the Internet. This week, details of another 20,000 Hotmail, Google Gmail and Yahoo Mail accounts went public.
Microsoft and Google have said they have blocked the hijacked accounts, which both companies said were obtained through a wide-scale phishing attack, not through a security breach of their free, Web-based e-mail services.
While experts have urged users to change their e-mail account passwords, other researchers have noted that many of the compromised accounts used easily-guessed passwords, with 123456 and 123456789 as the most common.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts