Hackers hook Web email users with "phishing" scams

SAN FRANCISCO — Google and Yahoo! on Tuesday joined a growing roster of Web-based email service providers with users duped by hackers into betraying passwords to accounts.

A day after Microsoft blocked access to thousands of Hotmail accounts in response to hackers plundering password information and posting it online, the list of victims was growing to include users of an array of email services.

"We recently became aware of a phishing scheme through which hackers gained user credentials for Web-based mail accounts including a small number of Gmail accounts," Google said in response to an AFP inquiry.

"As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts if we become aware of them."

Cyber-crooks evidently used "phishing" tactics to trick users of free Web-based email service into revealing account and access information.

"We are aware that a limited number of Yahoo! IDs may have been made public," Yahoo! said in a statement to AFP. "Online scams and phishing attacks are an ongoing and industry-wide issue."

Time Warner subsidiary AOL, in response to an AFP inquiry, said it is "closely monitoring the situation."

"Our guidance to users is to keep your wits about you: do not click on live links, or insert any details into input fields in emails, pop-ups or Web pages if you are not sure where they come from."

Microsoft said Monday that it learned of the latest problem during the weekend after Hotmail account information of "several thousand" users, many of them reportedly in Europe, was posted at a website.

The unconfirmed list of Hotmail accounts compromised by "phishing" has grown into the tens of thousands.

"We are aware that some Windows Live Hotmail customers' credentials were acquired illegally by a phishing scheme and exposed on a website," Microsoft said. "We have taken measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts."

Phishing is an Internet bane and involves using what hackers refer to as "social engineering" to trick people into revealing information online or downloading malicious software onto computers.

Phishing tactics include sending people tainted email attachments that promise enticing content such as sexy photos of celebrities and luring people to bogus log-in pages that are convincing replicas of legitimate websites.

Microsoft, Google, and Yahoo! stressed that hackers did not breach their databases, but rather email users were conned into revealing information.

"Phishing is an industry-wide problem... exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and install and regularly update anti-virus software," Microsoft said.

Google advises Gmail users not to "click through" on warnings browsers may raise about certificates nor sign in at Web addresses that don't start with google.com/accounts.

Web-based email users who suspect their accounts have been compromised should change passwords and check to make certain any secondary email or texting options in accounts have not been changed.

"We encourage users to be very careful when asked to share their personal information," Google said.

The email service providers urged people to visit pages at their websites with advice and tools for protecting accounts.

AFP

Hackers Breach Payroll Giant, Target Customers

Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information.

Morrestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations.

Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice's online payroll service. The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords.

Unlike typical so-called "phishing" scams -- which are sent indiscriminately to large numbers of people in the hopes that some percentage of recipients are customers of the targeted institution -- this attack addressed PayChoice customers by name in the body of the message. The missives also included reference to each recipient's onlineemployer.com user name and a portion of his or her password for the site.

In a statement e-mailed to Security Fix, PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the onlineemployer.com site and instituted fresh security measures to protect client information, such as requiring users to change their passwords.

"We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve," said PayChoice Chief Executive Robert Digby.

Several PayChoice customers who received the initial scam e-mails shared with Security Fix follow-up correspondence sent by Paychoice to its customers in the wake of the attack.

An Sept. 28 e-mail states: "Our analysis has indicated that the email addresses, Login ID and some valid partial passwords were included in the emails sent to some registered users."

According to the PayChoice e-mails to customers, the fraudulent missives were sent via the free Yahoo! Web mail service -- and directed recipients to either download a malicious file or visit one of several Web sites that were hosted on servers located in Poland. PayChoice told customers that the malware sites linked to in the messages tried to exploit several Web browser security flaws that would enable them to install malicious software, including vulnerabilities in Microsoft's Internet Explorer Web browser and security holes in Adobe Flash and Adobe Reader software applications.

If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC.

According to Steve Friedl, a blogger and security expert who writes the Unixwiz blog and who had several customers who received the malicious e-mails, the malware used in the attack is poorly detected by most anti-virus products on the market today: As of last Thursday afternoon, more than a day after the attack began, Friedl said, the malware was detected by just five of the 41 commerical and retail anti-virus scanners in use at virustotal.com (full disclosure: Friedl also consults for a competitor of PayChoice, called Evolution Payroll).

Mike LaPilla, manager of malicious code operations for iDefense, a security firm owned by Mountain View, Calif.-based Verisign Inc., said attacks like the one against PayChoice's customers typically are designed to steal the online banking credentials for individuals that manage corporate payroll accounts.

"In these kinds of attacks, there's a high probability that the fake e-mails will go to someone who has access to their employer's commercial bank account online," LaPilla said.

Washington Post