Could key-logging be behind webmail attack?

Key-logging malware could be behind the recent web mail attack that saw thousands of email addresses and their associated passwords leaked online, according to one security expert. Amichai Shulman, from security firm Imperva, believes that the size of the scam shows that it is not a phishing attack.

According to Mr Shulman, the majority of people do not fall for phishing attacks, with only one person falling for such an email in every 1000 sent.

"The vast majority of people do not fall prey to phishing attacks and the success rates are around one per 1,000," he told the BBC. "The fact that even one of these lists contained 10,000 names suggests to me that it was a key-logging scam."

Once downloaded from an infected website, a key-logger will record every keystroke made, which can include login details for webmail services, social networking sites or online bank accounts. Key-loggers can be downloaded automatically, but in most cases the user is tricked into downloading the malware under the guise of a free anti-virus or performance improving program - something that can even occur on trusted websites.

Just last month, the New York Times fell victim to a so-called "malvertising" attack, when it inadvertently displayed an advert telling people they had a virus, before prompting them to download the malware under the guise of "anti-virus" software - an ever increasing problem on an advert filled Internet.

If you are concerned about Phishing scams, please read our anatomy of a Phishing scam to better protect yourself in future.

Report a problem with article
Previous Story

Facebook testing redesigned home page

Next Story

Amazon confirms international launch for Kindle

26 Comments

Commenting is disabled on this article.

Totally FWIW, I could see how/why it matters to Shulman in his capacity as a security pro, but announcing publicly that he thinks it was a key logger vs. phishing might well be just a PR move to get him more notice, & of course, more business. I mean, the average user is & rightfully should be more concerned about if their accounts were compromised or not, rather than how the scammer pulled it off... that'll come later I'm sure. In the mean time Shulman's name is bouncing around on-line, getting exposure.

Again FWIW, I would think compromised systems would be more valuable if they stayed compromised.... With no idea why partial lists were posted in the 1st place -- whether it was a sample that got ripped or what -- it makes more sense if the source was phishing, since once the whistle was blown the scam's over. If whomever got into a 3rd party's servers, or perhaps 100s of thousands of PCs/laptops, why give up a working & potentially still valuable resource?

However the story ends, if all these systems were actually compromised, the big A/V companies will have a free fix advertised to gain new business. If it was phishing that nabbed individual users, Microsoft or some other companies will surely make a big deal of it, with advice to consumers used for PR. Only if it was a 3rd party site that got nailed (or someone working for them), would I expect things to stay quiet -- saved of course for a horror story to be told prospective clients by folks like Shulman. ;-)

(Note the following comment is based on how PC's are sold in the US)
No offense meriam but if you think most people now use AV software you are freakin in a dream. The majority of users that get nailed with this type of attack, be it key logger or phishing are n00bs. These are also the same people that by a pc from dell, HP, etc and take it as is. The use the 90 or 120 day AV trial that comes with the machine, then at the end of the trial, because in most cases the only thing they see is there little icon next to the clock go from green to yellow or red keep going about there day and never bother to look that the trial is expired. So you have people with expired trials, with no clue how to download actual software (even the free stuff from Avast, MS or others) and who will click on every help me get my millions out of africa, check out my new video, look at (insert famous person name here) naked, and get infected. I make my living going from call to call to clean up after these n00bs (and I do make a pretty penny from it), and 99.9% of the time (average 10 virus calls per week at $150 per call), it is someone using an expired trial or the ones i love even better using Norton or Mcafee version from 2000 with definitions from 2000 (2001 when I'm lucky). And when I ask, I get the same response 100% of the time, well doesnt it just do what it needs by just being installed. So you are so wrong if you think that everyone uses AV with current updates.

So, lets see...
This expert is claiming that only 1/1000 fall victim to a phishing scam.
There are 10,000 emails listed. So in order for a phishing scam to get that many email accounts, it would have to hit 10,000,000 inboxes.

10,000,000 inboxes doesn't seem unreasonable to me.

Plus, everyone knows that Keyloggers only go after WoW accounts.

I'm sorry but anybody stupid enough to click "Yes Please" on a software installation popup they did not specifically request deserves to have all their personal information (and money for that matter) stolen.

Amount of spam...

2007 - (June) 100 billion per day

More than 97% of all e-mails sent over the net are unwanted, according to a Microsoft security report.

http://en.wikipedia.org/wiki/E-mail_spam#S...s_and_estimates

Granted, not all spam is directed at getting your email passwords, but the sheer number of spam and email users does not make 10,000 a very big number. Also, I haven't seen any discussion on just how old or new this list is

1 per 1000 users falling for spam, with millions upon millions of users, it's not hard fetched for the figures to add up without key-logging software being the culprit

I just think lamers ignored the countless warnings about opening emails and entering details.

Your bank (any bank) and MS do NOT send you emails to enter your details.

Neither do neowin.

It was probably that antivirus ad on and blah blah security software for free.

I wonder if one could sue google for allowing such ads.

Is Mr Shulman an idiot?
Im sure they didnt sit for hours checking 20k's worth of keyloggin data, and im sure they didnt only get hotmail data from it. If this is how they got the data, which im sure they didnt.

Most ppl now use AVs, updated regularly, which means, a key-logger needs to be 100% stealth, which can be achieved, but won't survive enough time to get that much of accounts. The weakest part of the security chain is the human being. A phishing scam is all what it is, IMO.

tachikoma1373 said,
Sorry to burst your bubble but you are greatly mistaken in your ascertion that AV is that good. For example see: http://www.cyveillance.com/web/docs/WP_Cyb...tel_H1_2009.pdf

Don't get me wrong AV is essentail but don't be lulled into a false sense of security.

Please, re-read my comment. I said that a 100% stealth malware can be coded, "but" won't stay stealth for a long time. Unless it's an AMT rootkit lol

Unless you speak Spanish there's no need to worry. I was looking at 2 different lists and they're made up almost entirely of usernames and passwords that contain things like "roberto", "antonio", and "luiza".

you are completely right. i live in south america and every week i receive several emails from people who go to this sites to check who have blocked them from messenger; everytinme someone checks, and invitation to use this "service" is sent to everyone in their contact list. obviously to check who blocked you, you must enter your email and password... it's the dumbest thing ever, people suck.

So you reckon they went through tens of thousands of keylogger records to get these usernames and passwords?

Not that hard I suppose, all you need to search for is something@something.*** the next keys will probably be the password

OMFG DO YOU THINK IT COULD BE KEY LOGGING?!?!?!?!

I always thought the password magically get stolen by wishes and dreams.

Ridlas said,
I always thought the password magically get stolen by wishes and dreams.

Uh, no. The passwords were given thru prayers. It was a gift from God.

Ridlas said,
OMFG DO YOU THINK IT COULD BE KEY LOGGING?!?!?!?!

I always thought the password magically get stolen by wishes and dreams.

The question was 'Was it keylogging or phishing?'. Phishing is not the same as keylogging so don't troll.

Ridlas said,
I'm not trolling.

Its called "sarcasm"

So basically you don't think it was keylogging? If you do think it was probably keylogging, I ponder if you really know what sarcasm is.

Ridlas said,
I'm not trolling.

Its called "sarcasm"

It would be sarcasm if the only option would be keylogging. It could be phishing as well so his sarcasm is invalid.

Ouch! That's a lot of data for them to have.
If it was a keylogger, and your e-Mail address is on that list call your C/C company right away.. also get some new Spyware Removal and AntiVirus software.
I'd change any passwords you've ever used on that computer, whether it be Facebook, PayPal, Online Banking or otherwise