Phising scam leaks laziest passwords

By siliconindia   |   Friday, 09 October 2009, 15:34 IST
Printer Print Email Email
Bangalore: It is still not clear as to how 20,000 passwords discovered on the web recently were stolen, but the finding reveals that '123456' was the password for about 64 hacked mail accounts, revealing laziness of the users. At the second place, '123456789' was used in 18 of the hacked accounts. Also, about 42 percent of the passwords used only lower case letters. Several lists of passwords from Hotmail, Gmail, Yahoo Mail and other accounts were discovered and reported earlier in the week. As Microsoft, Google, and Yahoo are putting the blame on phishing, a researcher at ScanSafe thinks password stealing malware on computers could be the reason, which points out that more than just the email accounts would have been compromised, reports CNET. The mistakes were pointed out in Acunetix blog by Security Researcher Bogdan Calin. While the report shows that some people are not exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it. About 30 percent used a combination of upper and lower case numbers and letters, as 22 percent of the passwords used six characters, 14 percent used seven, 21 percent used eight and 12 percent used nine characters. An email account even had a password 30 characters long. "My impression is that these passwords have been gathered using phishing kits. Even more, the phishing kit used most probably was badly designed; since it was one that didn't further authenticate the users to the Hotmail Live web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong," wrote Calin on the blog. Mary Landesman, Senior Security Researcher, ScanSafe, states that the passwords were obtained by a data stealing Trojan horse and not phishing. The usernames also appeared multiple times having the same password except for a slight different spelling, which is among the other reasons. Also, she stated that the '@' separating the username from the account is not always present, which could indicate that the data was assembled together from a form or was extracted from a larger set of data. "The passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important web sites, and use antivirus software to help detect software that may try to steal your password," said a Spokesperson from Google.

Digital Supply Chain Transformation – Winning the AI/ML Way