News

Researcher: MS Account of Hijacked Hotmail Passwords Wrong

A security researcher at ScanSafe isn't buying Microsoft's and Google's explanation that hijacked Hotmail and Gmail passwords were obtained in a massive phishing attack. She blames botnets and keylogging.

By Gregg Keizer

October 07, 2009 — Computerworld —

One researcher isn't buying Microsoft's and Google's explanation that hijacked Hotmail and Gmail passwords were obtained in a massive phishing attack.

Mary Landesman, a senior security researcher at San Francisco-based ScanSafe, said it's more likely that the massive lists -- which include approximately 30,000 credentials from Hotmail, Gmail, Yahoo Mail and other sources -- were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses.

Landesman based her speculation on an accidental find in August of a cache of usernames and passwords, including those from Windows Live ID, the umbrella log-on service that Microsoft offers users to access Hotmail, Messenger and a slew of other online services.

That cache contained about 5,000 Windows Live ID username/password combinations, said Landesman, who found the trove while researching a new piece of malware. "From the organization [of that cache] and what the data looked like in raw form, I think it's more likely that this latest was the result of keylogging or data theft, not phishing," Landesman said.

She dismissed the idea that the passwords had been collected in a large-scale, industry-wide phishing attack , as Microsoft and Google both maintained.

"Another indicator is the sheer number of compromised accounts," Landesman said, referring to the two lists that have gone public. "Phishing is not generally a wildly successful scam, it doesn't have a big return. People are more savvy about phishing than we give them credit for."

Instead, it's more logical to assume that the passwords were acquired by botnet operators, who hijack PCs using security exploits, then later plant data-stealing malware on those machines. "That s a much more realistic source," said Landesman. "Regardless [of] what the final intent is of a botnet, one of the core capabilities of every botnet is the harvesting of e-mail credentials. If it looks like a horse, it's a horse, it's not a zebra."

Landesman's theory contradicts not only Microsoft and Google, but also the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft. On Monday, the APWG's chairman, Dave Jevans said a phishing attack that garnered thousands of passwords was do-able. "It's not outside the realm of possibility," he said then.

Also against the phishing explanation, argued Landesman, is the fact that the second list -- approximately 20,000 passwords -- contained usernames from not just Hotmail, but also Gmail, Yahoo Mail, Comcast, EarthLink and others. "That makes [the purported phishing campaign] a much broader attack across multiple services."