Stolen Hotmail/Gmail Accounts: Why Data Theft?
I wanted to expand a bit on my previous post about recently discovered stolen webmail credentials and why I believe a data theft trojan might have been involved. First though, some general info about the initial list discovered:
- The list contained just over 10,000 records of usernames beginning with A or B.
- 657 of the passwords were used more than once but only 1666 of the records shared the same password - indication that the majority of impacted users were striving for unique passwords.
- Not all of the 1666 password sharing records were unique. 1369 of the records were repeat usernames that appeared more than once - some as many as five times.
- 123456 was the most frequently used password, but it appeared only 63 times out of the +10,000 records.
- Though the A/B list did contain mainly Windows Live accounts (which includes MSN, Hotmail, and live.com), there was a smattering of other accounts on the list as well. Included were gmail, yahoo, aol, prodigy, neuf, latinmail, telefonica, vodafone, and a few dozen others.
So why do I suspect a trojan and not just an outright phishing scam?
The victims appeared to be taking reasonable precautions (in most cases) with the uniqueness, length and complexity of their password. There were certainly exceptions, but by and large the passwords could be considered respectable. That's at least indication the users were a bit more experienced and thus potentially less likely to fall for a phishing scam.
Previous lists of known phished accounts generally have some of the victims leaving nonsensical messages - as if they realized they were being phished. A Microsoft analysis of a MySpace phishing attack a few years back revealed that approximately 1 in 16 or 20 of the phished victims were aware they were being scammed. Instead of usernames or passwords, they left messages for the attackers like "hacking:urhacking", or "fake:fake". Of the 10,000+ on the recently discovered A/B list, there are no nonsensical entries. Sure those could have been removed, but given the other errors discussed below, it doesn't appear there was much if any cleanup done to the list.
There are errors throughout the list that appear to be the result of improper extraction or merger of data. In fact, these errors had to be corrected before the various data points provided above could be counted.
In many cases, a username appears multiple times with the same password, save a slight mispelling in one or the other. While the list was posted in alphabetical order and not in the order in which the data was retrieved, I suspect that had it been in the order the data was captured the slight misspellings would have been failed login attempts.
It's certainly possible that a phishing scam is operating as a man-in-the-middle and returning an unsuccesful login when the incorrect username/password is provided. But if that's the case, what accounts for the significant portion of common spelling errors. Assuming the criminals wanted to barter the list or use it for illicit purpose, doesn't it stand to reason they would have corrected those simple spelling errors to ensure the greatest success? Especially if they were going to the trouble of verifying its validity during capture?
The @ separating the username from the account is not always present. This isn't hugely meaningful, but it happened enough to suggest either the data was being pieced together from a form or it was being extracted from another, larger set of data. If it was a form and there was verification occuring, why were there so many misspellings of hotmail? And if there was no verification, why the multiple attempts to enter the proper username and password?
But going back to my previous post about the cache of stolen credentials ScanSafe came upon a couple of months ago - we also came upon a partial "Z" list of stolen credentials this week that follow the same format we observed previously. Not just one but multiple sets of credentials belonging to the same victim had been stolen and these were lumped together with lists of credentials belonging to other victims. Not identical but certainly a very similar harvesting method to the one we witnessed two months back. Could the A/B list have been derived from a similar master list?
Certainly no one but the original thief can say for sure and thus the question of origin of the stolen data will likely never be fully answered. But as of now, data theft still seems a very likely cause.
Mary Landesman
Reader Comments (1)
In my hotmail acct I twice had my entire contact list spammed.I lost my contact list and had to reenter the data. That happened twice last year. Recently my account was hacked but my contact list was not used. The messages came back as undeliverable and I didn't recognize the urls. I checked the sent file and there they were. A note of interest somebody must have been trying to change my password as live daily or near daily requested I confirm my request for a new password which I did not request.This has been going on for the past few weeks. I copy the cancell request url, paste it in a new browser page and cancell the request for change.
I receive many phish messages to PayPal and E-bay. I always forward the messages and ask if they were phishes. They always were and were being investigated.
I also get many from banks even those that I don't have an account with. I will look uo the bank and if there is a security e-mail address I forward the phish to then. I find it very difficult to warn Hotmail about phish messages from hotmail accounts.and wonder about the sincerity of hotmail in regards to stopping junk mail.Sometimes I get so many junk mail messages i just delete them by the pages. I used to forward them to spam@ftc.gov for their use. Hotmail cut me off several times from sending similar messages to the FTC in quantity as their effort to curtail spam traffic.
I still don't have a url to pass along what I am almost certain are phish e-mails.