Friday, October 30, 2009
Keyloggers Could Be Responsible for Leaked Webmail Credentials
A security researcher rebuts Microsoft and Google's claims that a massive industry-wide phishing operation was responsible for stealing the recently leaked webmail credentials. New arguments point to the discovered lists being the work of keyloggers.
A few days ago, Microsoft confirmed the authenticity of a list containing over 10,000 Hotmail usernames and passwords, which was discovered in plain sight on Pastebin. A Windows Live Hotmail team member noted that the document is likely the result of a phishing attack, a theory reinforced by the findings of Acunetix's Chief Technology Officer, who analyzed the leaked data.
A second list was discovered by BBC News reporters and contained similar data pertaining to Gmail, Yahoo! Mail and AOL accounts, as well as mailboxes provided by several ISPs. A Google spokesperson noted that the company independently found a third list and also invoked the same attack scenario.
However, the phishing theory doesn't fit well with Mary Landesman, a senior security researcher at Web security company ScanSafe, who argues that some form of malware with keylogging capabilities is more likely to be the culprit. "I believe a data theft trojan might have been involved," she says.
Ms. Landesman notes that ScanSafe researchers came across a cache of stolen credentials gathered by such a trojan a few months ago. "The stolen data was organized by the victim's Windows Live ID (where applicable), followed by usernames and passwords (and the URL) for secure websites the victims visited. This was listed by browser type (either Firefox or Internet Explorer) and included any FTP usernames and passwords," she explains and goes on to speculate that the Hotmail list might have been extracted from such a master document.
The leaked document contains only usernames beginning with A and B, suggesting that it’s only a sample probably used by the attacker to advertise the whole list for sale to spammers. The security researchers have found several signs that are not consistent with a phishing scheme. SoftPedia