Researcher contradicts phishing attacks on Gmail, Hotmail
By siliconindia   |   Thursday, 08 October 2009, 22:58 IST   |    4 Comments
Printer Print Email Email
Researcher contradicts phishing attacks on Gmail, Hotmail
Bangalore: The alleged phishing attacks on Hotmail and Gmail, may not be true as a researcher contradicts the statements given out by Microsoft and Google on the passwords being exposed. Mary Landesman, a Senior Security Researcher at San Francisco-based ScanSafe, a web security provider, said it is more likely that the massive lists were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses, reports Computerworld. Mary based her speculation on an accidental find in August of a cache of usernames and passwords, including those from Windows Live ID, the service that Microsoft offers users to access Hotmail, Messenger and other online services. That cache contained about 5,000 Windows Live ID username or password combinations, said Mary, who found the data while researching a new piece of malware. "From the organization (of that cache) and what the data looked like in raw form, I think it is more likely that this latest attack was the result of keylogging or data theft, not phishing," Mary said. She dismissed the idea that the passwords had been collected in a large-scale, industry-wide phishing attack, as Microsoft and Google both maintained. "Another indicator is the sheer number of compromised accounts," Mary said, referring to the two lists that have gone public. "Phishing is not generally a wildly successful scam, it does not have a big return. People are more informed about phishing than we give them credit for," she added. Instead, it's more logical to assume that the passwords were acquired by botnet operators, who hijack PCs using security exploits, then later plant data-stealing malware on those machines. Mary's theory contradicts not only Microsoft and Google, but also the Anti-Phishing Working Group (APWG), an association dedicated to fighting online identity theft. On Monday, the APWG's Chairman, Dave Jevans said a phishing attack that garnered thousands of passwords was do-able. Also against the phishing explanation, argued Mary, is the fact that the second list - approximately 20,000 passwords - contained usernames from not just Hotmail, but also Gmail, Yahoo Mail, Comcast, EarthLink and others. "That makes the alleged phishing campaign a much broader attack across multiple services," she added.

Digital Supply Chain Transformation – Winning the AI/ML Way