Researcher refutes Microsoft's account of hijacked Hotmail passwords

Could botnets, keylogging be to blame for password leaks?

One researcher isn't buying Microsoft's and Google's explanation that hijacked Hotmail and Gmail passwords were obtained in a massive phishing attack.

Mary Landesman, a senior security researcher at San Francisco-based ScanSafe, said it's more likely that the massive lists -- which include approximately 30,000 credentials from Hotmail, Gmail, Yahoo Mail and other sources -- were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses.

Landesman based her speculation on an accidental find in August of a cache of usernames and passwords, including those from Windows Live ID, the umbrella log-on service that Microsoft offers users to access Hotmail, Messenger and a slew of other online services.

That cache contained about 5,000 Windows Live ID username/password combinations, said Landesman, who found the trove while researching a new piece of malware. "From the organization [of that cache] and what the data looked like in raw form, I think it's more likely that this latest was the result of keylogging or data theft, not phishing," Landesman said.

She dismissed the idea that the passwords had been collected in a large-scale, industry-wide phishing attack , as Microsoft and Google both maintained.

"Another indicator is the sheer number of compromised accounts," Landesman said, referring to the two lists that have gone public. "Phishing is not generally a wildly successful scam, it doesn't have a big return. People are more savvy about phishing than we give them credit for."

Instead, it's more logical to assume that the passwords were acquired by botnet operators, who hijack PCs using security exploits, then later plant data-stealing malware on those machines. "That s a much more realistic source," said Landesman. "Regardless [of] what the final intent is of a botnet, one of the core capabilities of every botnet is the harvesting of e-mail credentials. If it looks like a horse, it's a horse, it's not a zebra."

Landesman's theory contradicts not only Microsoft and Google, but also the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft. On Monday, the APWG's chairman, Dave Jevans said a phishing attack that garnered thousands of passwords was do-able. "It's not outside the realm of possibility," he said then.

Also against the phishing explanation, argued Landesman, is the fact that the second list -- approximately 20,000 passwords -- contained usernames from not just Hotmail, but also Gmail, Yahoo Mail, Comcast, EarthLink and others. "That makes [the purported phishing campaign] a much broader attack across multiple services."

Her first thought when she read about the compromised Hotmail accounts was of the cache of credentials she'd found two months before. "Those public lists reminded me of the lists I found," she said. "It was definitely not a complete list, but seemed to be an advertisement for what this [hacker] had to offer."

The hacker was either inexperienced, or none too bright: The data was not password-protected, which is the norm for credential caches.

Landesman's theory is not just an academic exercise, she maintained.

"Everyone who suspects that their account has been compromised should change their password," she said, repeating advice by Microsoft, Google and other security experts. "But if, after changing their password, they have another reoccurrence where they see their account being used to e-mail spam, or they again can't access their account, then they need to suspect that there's a local infection on their PC."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackersMicrosoftphishingGmailhotmailpasswordsWindows Live

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?