Major Phishing Attack Reports Surface in October
Several years ago the average computer user would not have been expected to know that phishing, identity theft, or any number of Information Security issues existed, nor how important they actually were to staying safe online and in everyday life. With the almost constant public reporting in the intervening years, it is rare that you would come across someone who hasn't heard of identity theft or phishing, or at least knows someone who has been affected by it personally (though it might be described as "a hacker did something").
Even with this increase in awareness and reporting, it is evident that people keep getting caught out, with multiple reports of phishing attacks surfacing since the start of October. Everything from vast numbers of Hotmail accounts compromised, to the potential that many other providers may have been affected, and to reports that the FBI Director was almost a victim of a phishing attempt.
There still aren't many clues as to just how significant these phishing collections actually are, given that the data intercepted recently was only for the first couple of letters of the alphabet (Hotmail sample) and unknown distribution for the other cases, but it does suggest a massive number of potentially vulnerable accounts.
It is a remote possibility that these data sets have been leaked from within the mail providers, or it could just be a collation of historically leaked / scraped email accounts over many years. Given that at least some of the accounts are still active and operating under the same password (as checked by other agencies) it doesn't give much weight to that particular theory.
Analysis of the account details has shown that a standard dictionary attack against at least online mail services is still going to net a high number of compromised accounts. 60% of the exposed accounts were protected with nothing more than a string of numbers, or a string of purely lowercase alphabetic characters. Almost 70% of passwords were between 6 and 9 characters long (almost 90% between 6 and 12 characters) which also reduces the number of likely combinations required to try and gain access to an account. Surprisingly, of the sample studied, 90% of passwords were unique, with the most popular password (123456) only being used 64 times (around 1%). Other trends within the password distributions suggest that the accounts are the result of phishing attacks against spanish-speaking users.
While there is bad news for the users who had their accounts exposed, there is some good news regarding policing those who carry out these attacks. A two-year operation of the Egyptian and US authorities has seen 100 people arrested over a series of phishing scams that targeted US financial institutions and netted $1.5 million USD for the scammers. The net return per scammer may not seem like much, especially weighed against the resources that the authorities likely applied to the investigation and capturing them, but it sends a message that the authorities are willing to take real action against something people who scam others online.
12 October 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.