Industry-wide Phishing Scheme

A rather lame phishing attempt.

Yesterday we reported that Microsoft Live/Hotmail was exposed to an extensive phishing scheme. Apparently the attack was more extensive than this. BBC News reports that a second list with 20,000 accounts was published. Contrary to the first list, the second list included accounts from AOL, Comcast, Earthlink, Gmail and Hotmail. With that information, we can conclude that this is an industry-wide attack, rather than an attack on a particular provider.

Phishing attacks by themselves are nothing new, but this is probably one of the biggest attacks that I have ever heard of.

What makes it even worse is that the people who oftentimes fall for these kind of attacks are the same users who are likely use the same password for everything. Hence, this problem is greater than just having a few private emails exposed. Equipped with a list of valid e-mail addresses and passwords combinations, an attacker can easily write a script that tries the credentials on a number of commonly used sites (and run it through a bot-network to be able to scale it). All of a sudden, the attacker now has a list of credentials to a number of sites, perhaps even including banks and other financial services.

For us techies, it’s easy to sport a phishing email. However, for the average user, this can be a challenging task. There are a number of technologies that can help prevent phishing (eg. DKIM). Unfortunately, due to the lack of industry-wide adoption, we cannot rely on these technologies entirely today.