Hacked web mail accounts used to send spam

While Websense has seen a rise in spam following the compromise of 30,000 web mail accounts, security experts are split over how the accounts were breached
Written by Carly Newman, Contributor

There has been a marked increase in the amount of spam emails being sent from Yahoo, Gmail and Hotmail accounts, according to analysts at Websense Security Labs.

Websense said on Thursday that personalised spam emails had been sent from the compromised accounts to all of each user's contacts. The emails contain links to fake shopping sites, intended to capture sensitive information from the reader.

Earlier this week, Microsoft acknowledged that 30,000 Hotmail accounts had breached, and suggested the passwords for the accounts had been obtained in a phishing scam.

However, some security experts believe that the password breach cannot be attributed to phishing. Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet UK on Friday that the information was likely to have been obtained through key logging.

"The quantity of people hit makes me think that it was key logging — the success rate for phishing is only about one in 1,000," said Shulman. "Secondly, when I went through the list of email account credentials, there were entries with the same username, but a slightly different password, which suggests that they're typos.

"I don't think people would keep falling for a phishing scam and entering their details, it looks more like people are making mistakes and the key-logging software is recording them," he said.

Mary Landesman, senior security consultant at ScanSafe, said in a blog post on Wednesday that a data-theft Trojan is likely to have been used. Many of the victims appeared to be taking reasonable precautions with the length and complexity of their passwords, she said.

In addition, there were errors throughout the list that appeared to be the result of improper extraction of data, Landesman suggested.

Patrick Runald, security research manager at Websense, said that as yet, there is no proof to suggest it was either a phishing or key-logging scam, although he suspected it could be both. He added that considering the number of compromised accounts, the attack is likely to date back months.

"We've been looking through our systems to try and locate an email that is credible enough to fool so many people, and so far we haven't found one," said Runald. "Generally phishing is declining and being replaced by key logging, and considering the number of compromised accounts, it could be a combination of both."

Runald urged users to change the passwords to their email accounts, and any other accounts that the same password might be used for, on a six-monthly basis. Websense also encouraged people to check that websites are properly encrypted and start with the secure version of hypertext transfer protocol, 'https'.

Carole Theriault, senior security consultant at Sophos, said Sophos customers had experienced no significant increase in spam over the past four days. However, she said forum phishing attacks had taken place.

"Some of the most popular passwords that were posted were words like 'neopets', 'tigger' and 'princess' — words that children would use. So not only should parents change their account passwords, they should make sure their kids do, too," she said.

Editorial standards