Keyloggers Could Be Responsible For Leaked Webmail Credentials

[Peaches]

Keyloggers Could Be Responsible for Leaked Webmail Credentials

More likely than phishing argues security researcher

By Lucian Constantin, Web News Editor

8th of October 2009

A security researcher rebuts Microsoft and Google's claims that a massive industry-wide phishing operation was responsible for stealing the recently leaked webmail credentials. New arguments point to the discovered lists being the work of keyloggers.

A few days ago, Microsoft confirmed the authenticity of a list containing over 10,000 Hotmail usernames and passwords, which was discovered in plain sight on Pastebin. A Windows Live Hotmail team member noted that the document is likely the result of a phishing attack, a theory reinforced by the findings of Acunetix's Chief Technology Officer, who analyzed the leaked data.

A second list was discovered by BBC News reporters and contained similar data pertaining to Gmail, Yahoo! Mail and AOL accounts, as well as mailboxes provided by several ISPs. A Google spokesperson noted that the company independently found a third list and also invoked the same attack scenario.

However, the phishing theory doesn't fit well with Mary Landesman, a senior security researcher at Web security company ScanSafe, who argues that some form of malware with keylogging capabilities is more likely to be the culprit. "I believe a data theft trojan might have been involved," she says.

Ms. Landesman notes that ScanSafe researchers came across a cache of stolen credentials gathered by such a trojan a few months ago. "The stolen data was organized by the victim's Windows Live ID (where applicable), followed by usernames and passwords (and the URL) for secure websites the victims visited. This was listed by browser type (either Firefox or Internet Explorer) and included any FTP usernames and passwords," she explains and goes on to speculate that the Hotmail list might have been extracted from such a master document.

The leaked document contains only usernames beginning with A and B, suggesting that it's only a sample probably used by the attacker to advertise the whole list for sale to spammers. The security researchers have found several signs that are not consistent with a phishing scheme.

For one, the list does not contain any "nonsensical" entries generated by users who would have realized that they are targeted. This is generally common with data extracted during phishing attacks. In addition, the list displayed errors particular to improper data extraction or merging operations.

"The question of origin of the stolen data will likely never be fully answered. But as of now, data theft still seems a very likely cause," Ms. Landesman concludes. True or not, users who believe to be affected by these leaks are advised to scan their computers for infections with an up-to-date and reliable antivirus solution. After all, it's better to be safe than sorry.

It is worth noting that Mary Landesman is not the only one advancing this theory. Paul O Baccas from antivirus vendor Sophos, who looked at the new list uncovered by the BBC, noted that "Personally, I think that this data is a combination of some phishing emails, keylogger data and a rogue social networking application phishing information."

Softpedia - http://news.softpedia.com/news/Keyloggers-...ls-123759.shtml