Email phishing attack spreads to Gmail and Yahoo

Microsoft confirmed yesterday evening that the popular web email service, Hotmail, had been targeted by malicious fraudsters in what is commonly referred to as a phishing scam, tricking users into revealing their credentials at fake websites.

Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised. Non-Hotmail passport accounts have been affected too. A new list contains email accounts for Gmail, Yahoo, Comcast, Earthlink and other third party popular web mail services. It's not clear if this is login information for the service itself or the Microsoft Passport passwords.

Microsoft confirmed Neowin's exclusive report yesterday evening and issued a statement on a company blog:

"Over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."

It's clear the lists are the result of a phishing scam and some commenters at Neowin suggest it could be the result of unwitting users sending their credentials to sites that name who has blocked you on popular instant messaging software Windows Live Messenger.

Neowin has once again reported the new lists to Microsoft's Security Response Center and can confirm that the lists originated from pastebin.com, a site commonly used by developers to share code snippets. Pastebin owner Paul Dixon confirmed that the site was down for maintenance due to "an unprecedented amount of traffic" after our initial reports. Dixon stated "Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications."

Update: The phishing attack has spread to Google Mail and Yahoo mail amongst others, we're currently awaiting full confirmation on the number of accounts at each service. BBC News is reporting that Google have confirmed the phishing attack.

If you are concerned about Phishing scams, please read our anatomy of a Phishing scam to better protect yourself in future.

Report a problem with article
Previous Story

iPhone to go multi-carrier in Canada next month

Next Story

TechSpot: Interview with Good Old Games, plus giveaway

106 Comments

Commenting is disabled on this article.

I am from Sokobanja and I saw that local sites are using fake forms for phishing like fake forms for entering personal data and so on. Personaly, I dont line eather Facebook contact import from Ymail, Gmail and other stuff like that.

Amazing how easily some fall for these scams. I guess I was lucky to grow up being taught to be suspicious of everything on the internet. Kept me virus and scam free for 15 years.

Just out of curiosity (if anybody knows), do any of the following extensions apply:
@att.net
@sbcglobal.net
(above both part of Yahoo)

And:
@mac.com
@me.com

Just curious if anybody knows. And I really hope people will be mature and avoid making comments about using .Mac.

Tanshin said,
Just out of curiosity (if anybody knows), do any of the following extensions apply:
@att.net
@sbcglobal.net
(above both part of Yahoo)

And:
@mac.com
@me.com

Just curious if anybody knows. And I really hope people will be mature and avoid making comments about using .Mac.


@Tanshin: There are 6 @att.net emails, 260 @sbcglobal.net, 15 @mac.com, and 4 @me.com.

Rafael said,

@Tanshin: There are 6 @att.net emails, 260 @sbcglobal.net, 15 @mac.com, and 4 @me.com.

I take it I don't really have to worry about it then.

I created http://wasiphished.com. I thought the link the footer would be obvious, but apparently not because a bunch of idiots here are claiming it's fake. The site merely looks up your email address in the list thats floating around the internet plus another list I stumbled upon at scribbd.

My gmail account was comprimised but that didn't appear on your list. I find it very VERY unlikely that I would have fallen for any phishing scam as I have all the necessary protection and a brain.

idczar said,
well it's pretty much a common sense.. don't fall for phishing sites.. =/

Sometimes the site name difference is so small your brain doesn't even see it. At lease that's what got me on a fake rapidshare site. I felt like such an idiot. So then after that is when I put in place the openDNS and wot. But I still inspect the URL hard core from now on.

warwagon said,
Sometimes the site name difference is so small your brain doesn't even see it. At lease that's what got me on a fake rapidshare site. I felt like such an idiot. So then after that is when I put in place the openDNS and wot. But I still inspect the URL hard core from now on.

+10 - I see an arrogance on Neowin quite regularly, but the brain can be easily fooled. Because we're human, we're not immune to mistakes. One therefore cannot be immune to computer viruses simply because you are part of a minority of well-above-average computer literate people.

has it been confirmed that they are actually the email account passwords and not just the Microsoft Password passwords?
Because I can register my gmail, yahoo or w/e address I want as a MS Passport account.

oh I can see this now, sites popping up saying "check if your email is affected... enter username and password in the box below"..... and people would fall for it.....

Why don't you ask them(coucoo.com) ?

awesum22, I'm watching this scenes and no cc informations leaked out so far!

I could reply to your private mail , certainly not here , Ive seen at least 3 pages with cc details . Dunno if they are *correct* but the ongoing drama with regards to emails makes me believe they are!

I am one of those whose (yahoo) email accounts was abused this weekend. A Chinese electronics retailer, Coucoo.com, somehow used my account to send an email as if from me recommending their site, to everyone on my address list. Others have described the same email. I am neither stupid nor naive. I can spot a phishing email a mile off. I delete emails without opening them if I don't recognise the sender - I have missed one or two pleasant invitations as a result. To my knowledge I have never entered my details on a dodgy website. I have done a huge amount of online shopping over the years, but the goods I've bought have always arrived, so I guess the sites I used must have been bona fide. My partner is a software whizz and is as puzzled as I am about how this has happened. He has checked my computer for malware - none was found. The strange thing about the emails sent from my account was that they were sent in batches of 10, whereas my contacts are organised in batches of 25: so it looks as if my account was infiltrated by some software rather than someone sitting down with my password. Maybe someone should contact coucoo.com and ask them how they did it.

Aggggggggggghhhh!!! This got me too!
I doubt it was any kind of phishing scam as I wouldn't have fallen for it.

From midnight on 7 october 2009 people on my GMAIL address book where all sent the following message in batches of 10

"Subject: Hello!
How are you recently?
I bought a laptop from a website: www.coucoo.com last week. I have
got the product. Its quality is very good and the price is
competitive. They also sell phones, TV, psp, motor and so on. By the
way, they import product from Korea and sell new and original
products. They have good reputation and have many good feedbacks. If
you need these products, look at this website will be a clever choice.
I am sure you will get many surprise and benefits.
Greetings!"

What am I supposed to do about it? I have changed my password but is there some other danger lurking somewhere?

This is why I would recommend everyone install and use both OpenDNS and Web of trust. Both will help you identify when you land on a phishing site.

true. WOT helps a lot. i've installed it in all of my family and friend's browsers so they wont get duped into getting in untrusted sites.

Why is this still in the news?
There is NOTHING new about this. 10,000 stolen hotmail and yahoo accounts is nothing new at all, it happens weekly. Neowin has just caused some weird hysteria over something that has always been. Build a bridge and get over it, there is nothing to report here.

So will those people who said they will quit using Hotmail in the other article now quit using these? Even though it's a phishing attack and not an attack on the service itself?

I changed my passwords either way, I was long overdue for doing so anyway.

Hotmail's account & password was leaked.

is it a Deja vu?.

As far as i can remember,it is not the first time that happens it.


Magallanes said,
Hotmail's account & password was leaked.

is it a Deja vu?.

As far as i can remember,it is not the first time that happens it.

Good thing we're not relying on your poor memory.

Where are all the people that have been phished? Why are we not getting reports of how this happened to them, just speculation. Yes it could be one of those "who has blocked me" sites, it could be one of those "get free MS Points" sites, could be lockerz.com, could be any site really, but why is nobody coming forward with details?

Do you trust putting your details into another site to see if you have been phished? Even if you do have the common sense to change your password before doing so, is your email address just being harvested for spammers?

Correct, and maybe most of the addresses harvested id guess were children / young adults with a curisioty, and fell victim, i was gonna make a fake account with another friend also on a fake account and try it, but neva got around to it.

Well darn.... my post on CNET was right!
I said if this was a phishing scam, whoever posted it probably pulled this from a database, meaning it was easy to sort out @live, @hotmail @live.uk, @msn and make it appear to be a breach, but in reality even @gmail or @anyisp could be affected and people not aware!

Correct, if u dont stick your details into anythin else other than Hotmail, and Messenger an Microsoft, you should be ok.

If your smarter than the 20k plus idiots who have tried the (are u blocks on msn sites), your fine.

It covers any account that you've been stupid enough to type into a phishing website. It doesn't differentiate between different providers. However, hotmail has been targetted the most because there are more phishing sites based around hotmail addresses (i.e. "See who has blocked you on Wondows Live...").

If you havn't given away any of you information, you don't need to worry.

Just remember though that the password they have is the one associated with your Live ID, that is not necessarily the same as your Yahoo/Gmail email password. So while the scammers may be able to log into your Live ID, if the password on the actual email account you used is different, they won't have access to that.

The leaked passwords are still online and very much alive,most are in fact working ! Shutting down" pastebin.com" won't help either , the passes are on **.pastebin.** domain and not on the .com domain .Google cache will make it even more difficult to remove anything that's already leaked :-S

I run pastebin.com, and since this is the primary site referenced in in the story, removing the posts is just the *right thing to do*. Google does not cache pastebin.com posts either.

I've taken the site offline as the traffic was so high I couldn't efficiently perform a cleanup. It will be back up in a few hours hopefully - I have a day job to attend to too!

joker999 said,
True, but i only see 10,000 (ar* to az*)

I've seen account names starting with almost all 26 letters of English alphabet and *trust me they are working* ,hence more than the reported 10k accounts must have been compromised It is even possible to take over face-book,twitter or other accounts using the details available! It will then wreak havoc.Sigh

btw http://aspvbr.wooh-im-blocked.com/ seems to be the source .Cannot confirm, but tis definitely one of them

Paul Dixon said,
I run pastebin.com, and since this is the primary site referenced in in the story, removing the posts is just the *right thing to do*. Google does not cache pastebin.com posts either

I found pages of leaked emails using google caches. They have been removed from pastebin,however they are alive on the planet. A crafted google search will reveal tons of offending pages

awesum22 said,
I've seen account names starting with almost all 26 letters of English alphabet and *trust me they are working* ,hence more than the reported 10k accounts must have been compromised It is even possible to take over face-book,twitter or other accounts using the details available! It will then wreak havoc.Sigh

btw http://aspvbr.wooh-im-blocked.com/ seems to be the source .Cannot confirm, but tis definitely one of them

Luckily Firefox detects that that site is known for phishing and tells me before I get to it! Firefox wins again!

Site reported for Phishing...wonder how long it takes for IE to warn others. Or for microsoft to shut it or what eva action they take against sites like this

Check this website to see if you've been conpromised : www.honestdaveshotmailscam.co.lol

Just enter your email address and password and we'll check to see if it's on our list, I mean, the list.

Agreed, would be nice if there was a prope explanation of the attack, whether it was from people entering their details or just someone getting everyone's passwords...

HappyAndyK said,
Check if YOUR Hotmail email id credentials were snatched : http://wasiphished.com/

Wasiphished.com

Name Servers:
ns1235.hostgator.com
ns1236.hostgator.com

Creation date: 06 Oct 2009 00:31:06
Expiration date: 06 Oct 2010 00:31:06

meh, just don't publish your email on it.

It does work - I tried my email address and it wasn't found, so I then tried something like chris@hotmail.com, an email address which people are likely to type in to see if the blocker checker thing works, and it was on the list.

Not likely, but change your password just in case.
(we can't guarantee our list is 100% accurate.) ......oh and thanks for suppling your email to us, its now been added to spam sites heres some emails on our behalf.

but oh wait they forgot to add that bit..

The supposed creator of that tool is also a member here; if he can vouch for it on this news story then it should be fine.

Magallanes said,
Wasiphished.com

Name Servers:
ns1235.hostgator.com
ns1236.hostgator.com

Creation date: 06 Oct 2009 00:31:06
Expiration date: 06 Oct 2010 00:31:06

meh, just don't publish your email on it.


Yes, Hostgator hosts the site that I created last night. Great detective work.

Gothic_Rebel said,
"Not likely, but change your password just in case."
What are you on about? It says "Very likely. Seek immediate help." I've seen the list anyway.. that email is on it.
Rafael said,
Yes, Hostgator hosts the site that I created last night. Great detective work.
Lol, I was thinking the same thing.

Please MENTION CLEARLY that this thing is not leaked by someone who hacked Microsoft
It is from msn-block.com, NOT by exploiting Microsoft
Here is a comment from the original source which reported this scam(which was written on October 2nd): http://blog.nirsoft.net/2009/08/29/msn-blo...al/#comment-597
I saw that list btw, and I think that Microsoft must find a way to help those hacked people, they MUST find a way
If you think you got hacked too, you can verify by googling your email, in the format email:pass and you will see if you are in the list (this list is really spread now almost everywhere)

You say the article must be clear that there is no Microsoft exploit, yet you continue to call it a "hack". There is no hacking involved.

If I called you on the phone and asked for your hotmail account details, and you gave them to me, would that be hacking? No of course not, and neither is this.

the popular web email service, Hotmail, had been targeted by malicious fraudsters in what is commonly referred to as a phishing scam, tricking users into revealing their credentials at fake websites

How the hell is that not clear enough? Its even in the damn title!

kInG aLeXo said,
verify by googling your email, in the format email:pass and you will see if you are in the list (this list is really spread now almost everywhere)

Really? That just adds the info to Google's DB and puts it in various history lists. Doesn't sound very sensible to me.

kInG aLeXo said,
Now you can use http://wasiphished.com/
It works, I checked it with some of the emails in the list and it detected them, it is not fake.


Yes it is, No Matter what u put in, it comes back with the same answer!
try it type somethin random as long as it has an @live or hotmail or msn
it will say the same thing, i tried it with a uncompleted email eg whataloadof*******crapthisis@live with out the .com and again same answer!!

It dosnt work, its not checking any list at all

Gothic_Rebel said,


Yes it is, No Matter what u put in, it comes back with the same answer!
try it type somethin random as long as it has an @live or hotmail or msn
it will say the same thing, i tried it with a uncompleted email eg whataloadof*******crapthisis@live with out the .com and again same answer!!

It dosnt work, its not checking any list at all


What makes you think that a random non-existent email address will be phished?

Wow a lot of people checked to see who's blocking them... :P

In all seriousness this is quite worrying the amount of people that are losing passwords over these phishing scams :\

Also Pastebin is now down with this message posted,

"Down for maintenance - 6th Oct 2009
Pastebin.com is getting an unprecedented amount of traffic due to a news story in which some leaked Hotmail passwords have been pasted on this site

Pastebin.com was intended as a tool to aid software developers, not for distributing this sort of material. Filters have been put in place to prevent reoccurrence, but the current traffic level is unsustainable.

Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications

Paul Dixon"

Poor guy. I guess loads of people have got the wrong end of the stick and assumed it's a site specifically for this sort of thing...

Nick Brunt said,
Poor guy. I guess loads of people have got the wrong end of the stick and assumed it's a site specifically for this sort of thing...

yeah its understandable he shut it down, i would do rather than pay high b/w costs

Nick Brunt said,
Poor guy. I guess loads of people have got the wrong end of the stick and assumed it's a site specifically for this sort of thing...

this is true, your average idiot will go to the site and see various code snippets and panic

I'm not changing my password... I didn't fall for any phishing scam so...
plus I never give away my password in any database

btw my passwords are 12345678 , asdfghj and the last one qwertyuio

Its still good practice to change your passwords regularly. I change mine on my most frequently visited sites at least once a year, and try to make once every 6 months.

We've seen the list here at Neowin HQ and can confirm the accounts listed appear to be genuine and number over 20,000.

Is the likely to be released publicly? I and half of other people would like to know if they are a victim. :-(

All people need is the list of compromised email addresses (WITHOUT passwords), to know if they fell victim to this phishing attack. Where is a list like this available to people?

The only problem with releasing a list of all the email addresses is that everyone on the list will instantly start receiving 2,000,000 spam emails every day...

Fair enough, but can't they be edited in a fashion to foil spambots? You know...my email at gmail dot com. It's as simple as search and replace...no script required.

Or, hell, why not just email them all with a simple "hey, this is Neowin, your email came up on our list of potentially phished accounts, you might want to look into changing your passwords"?

Just as simple as search and replace, a spammer could make a script to re-create all the email adresses. If we used a hash like Blue Frog anti-spam system used, you could "challenge" the list with your email adress and see if you get a hash match.

But you should change your passwords anyhow

What about script where you input your email and it checks it against the list. (I suppose it could be used to harvest addresses for spam though)

SH3K0 said,
Is the likely to be released publicly? I and half of other people would like to know if they are a victim. :-(

The internet *is* public..