Community

Join the Community

21,987
Expert opinions
44,149
Total members
423
New members (last 30 days)
151
New opinions (last 30 days)
28,672
Total comments
Join Sign in

Email Addresses hacked via a Botnet or phished?

  0 4 comments
Robert Siciliano
Robert Siciliano
Security Analyst
Safr.me
Location
Boston
Followers
8
Opinions
844
Unfollow

Recently Microsoft, Yahoo, Google, Comcast and Earthlink announced thousands of email addresses and their passwords were phished by identity thieves and posted in an online forum. One report suggests the emails phished could be up to a million victims.

Researchers parsed the hacked passwords and broke them down into categories based on their level of security. For example some of the passwords were very weak “111111”  “123456” “1234567” “12345678” “123456789” made the top list. Many of the stolen passwords were people’s first names which of course could be kids, spouse etc. Obviously anyone who uses an insecure password like this is more likely to get hacked due to their laziness and less than sophisticated approach to security. 60% of the passwords contained either all numbers or all lowercase letters.

Always use a combination of upper case and lower case, numbers and characters that don’t actually spell anything. Use the first letters of phrases and plug a number in there with a character “Monday is the 1st day of the week!” is Mit1dotw! Research in the data breach showed 6% of the passwords reflected this strong style.

There is however buzz in the IT security world that the data may have been leaked via a botnet. A botnet is a robot network of computers connected to the internet that all share a common technology, a virus/spyware that allows a criminal hacker to remotely access and control the machine. A botnet can be 10 PCs, 10,000 PC or many more. The infamous “conficker” is a botnet. Once a PC is infected the criminal hackers can use the botnet to commit crimes, store data and of course siphon data from the machines.

However while many of the passwords were weak, there were many passwords that were very strong.  The argument is that based on the strength of many of the passwords it is unlikely that they were phished, and more likely hacked.

Regardless of the method of attack there are many things a computer user can do to prevent phishing and being part of a botnet.

  1. When you receive any email from any “trusted source” asking you to login for ANY reason do not click links in the body of the email. Instead manually type the address or go to your favorites.
  2. Use the most recent version of a web browser that has a built in phish filter. Phish filters warn you against clicking links on unauthorized websites.
  3. Invest in anti-virus protection and make sure you have it set to automatically update your virus definitions. There are potentially thousands of new viruses every day. Going a week without anti-virus can make you vulnerable to attack.
  4. Invest in Identity Protection and Prevention. Because when all else fails, its great knowing someone is watching your back.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

4194
 

Share

 
 
 
 
 

Channels

/security /regulation & compliance

Comments: (5)

Michael Wright

Michael Wright ex-CEO, NED at Tilte, Taxd, Welleasy

Robert,

What leads you to the conclusion that the strong passwords were hacked rather than phished ?

My understanding is that the stronger the password, the harder it is to hack (i.e. guess) and therefore the more likely it is to have been phished (social engineering) or recorded by a key logging trojan or virus.

One of the fundamental issues that should be mentioned here is that people often use the same password on many different sites.

You should always make sure that you use different passwords for your banking sites and your email sites - having one password for low risk sites is not a good idea but probably expedient.

regards

Mike

(P.S. Banks should be standardising on anti-phishing measures in their email)

Andrew Churchill

Andrew Churchill ID & Authentication Standards author at MIDAS Alliance

Mike,

I hadn't noticed this blog until you'd flagged it, so thanks for pointing out some of the glaring errors.

Title - hacked via a botnet or phished

Para 1 - they're phished -good old social engineering!

Para 2, line 1 - they're hacked, but some were very weak!

Para 2, line 3 - now they're stolen (so not UK victims, as you can't steal information, merely exploit it for other unlawful purposes)

Para 2, line 5 - back to hacking, and only insecure passwords can be hacked, clearly

Para 3 - strong passwords are on the compromised list.

So, actually back to para 2 because, in itself (over and above the truism that those who are using stronger passwords are likely to be security aware and hence have anti-virus, et al, and not fall for Dear Mister emails) anyone using an insecure password is no more likely to be a victim of hacking or phishing.

If you've an insecure machine and you're gullible then the security of your password makes not the slightest difference (besides the chances of a friend or colleague logging in as you).

Final paras are valid, but hardly news, so I'm afraid to say the only 'laziness and less than sophisticated approach to security' rests with the author.

 

Robert Siciliano

Robert Siciliano Security Analyst at Safr.me

Author

Thanks for dragging me under the bus gents. Bet your mum is proud of you. I was pointing out how some researchers had come to the conclusion. I reported on it. So eat it.

Matt White

Matt White North America editor at Finextra

Play nice please fellas.

A Finextra member 

Hi Mike,

congrats that you made it to say write/report something that shown that PASSWORDS are a big part causing all this internet fraud. Just imagine we wouldnt use them any more. Meaning to use something that one has to remember and when beeing authenticated to type in his PC.... just look at the solution that shows a real altenative solution which provides strong authentication without costs...www.weblookon.com

Hi Andrew,

Dont be soo bad to Mike. This blog is very usefull for all who are concerned to security. Of course there are very few of them with a proved knowledge on all these topics like you. And I mean it. By the way, you still have´nt found out (cracked) the WebLookOn key-secret according to your WebLookOn Key-ID : a.churchill ......

all best

Heinrich

 

Robert Siciliano
Robert Siciliano
Security Analyst
Safr.me
Member since
04 Feb 2009
Location
Boston
Followers
8
Following
0
Opinions
844
Unfollow

Your Social Security number IS in the Hands of Criminals

Most Security Awareness Training is Insufficient and Should Lead to Consequences

AI Spoofed Sites Lead to $50 Million Investment Scams

How and Why “Fun” AI Generated Spam On Social Media Will Manipulate the 2024 Election

Artificial Intelligence and Organized Crime Sitting In a Tree…

See all Opinions from Robert

More expert opinions

Guy Harrison

Guy Harrison CEO at Quantios

The single constant that unites our industry: worry

Dmytro Spilka

Dmytro Spilka Director and Founder at Solvid, Coinprompter

5 Compliance Challenges that Your Algo Execution Model May be Creating

Kyrylo Reitor

Kyrylo Reitor Chief Marketing Officer at International Fintech Business

Forex Market Regulation on the African Continent

Francesco Fulcoli

Francesco Fulcoli Chief Compliance and Risk Officer at Flagstone

National Payments Vision 2024: The UK's Vision for a World-Leading Ecosystem

1

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

21,987
Expert opinions
44,149
Total members
423
New members (last 30 days)
151
New opinions (last 30 days)
28,672
Total comments
Join Sign in

Trending

Francesco Fulcoli

Francesco Fulcoli Chief Compliance and Risk Officer at Flagstone

National Payments Vision 2024: The UK's Vision for a World-Leading Ecosystem

Prakash Pattni

Prakash Pattni MD, Financial Services Digital Transformation at IBM Cloud

How Fintechs and Financial Institutions Can Demonstrate Resiliency

Mouloukou Sanoh

Mouloukou Sanoh CEO and Co-Founder at MANSA

How Stablecoins are Revolutionising the Future of Payments

Brian Mahlangu

Brian Mahlangu VP Product: Digital Platforms Mobile at Absa Bank, CIB.

The Secure Fingerprint: Why Biometrics Have Become Essential for Corporate Clients

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept