Gmail also hit by e-mail phishing scheme

Hotmail users aren't the only ones who've been hit by a phishing scheme over the past week. Google told BBC News on Tuesday that Gmail users have also been affected by the hackers who posted passwords online.

The problem is far more widespread than was disclosed on Monday, possibly affecting Yahoo and AOL e-mail accounts as well, according to BBC News.

Google described the issue as an "industrywide phishing scheme." BBC News said it has seen two lists posted online with "more than 30,000 names and passwords" from Gmail, Yahoo, AOL, Microsoft's Windows Live Hotmail, and other service providers.

"We recently became aware of an industrywide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google representative told me in an e-mail.

The representative said that Google immediately "forced passwords resets on the affected accounts."

In an e-mail to CNET, a Google representative said that the company had to reset the passwords on fewer than 500 Gmail accounts so far. However, that figure could change.

Despite Google's and Microsoft's awareness of the problem, it doesn't seem that users are out of the woods just yet. Google's representative told CNET that it will continue to force password resets on any newly affected user accounts.

Like Microsoft, Google was quick to point out to the BBC that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

Google's admission that Gmail users were affected by the phishing scheme comes on the heels of Microsoft acknowledging that over 10,000 Live Hotmail accounts were compromised by the scam. The passwords apparently first hit the Internet on October 1.

Updated at 9:10 a.m. PDT to include Google's comments.

[mrquotehealthboss]

what's the problem with that hackers why are they hacking our emails?

[jc364]

motivations for hackers:
curiosity
notoriety
control, superiority
gaining something of value
vendetta of some type

[rcrusoe]

Why hack someone's email? Because a very large number of non-geeks use the same/similar username and password for all their online accounts. Joe Sixpack, et al, are clueless when it comes to security.

Guess someone's email credentials then try that username and/or password on banks, etc. that are available in the users's local area.

As I recall that's how someone gained access to sensitive Twitter company data.

[Shane39199]

because many of us do online banking and keep our bills and emails that contain sensitive data IN our online mail boxes....so why wouldn't you reach into a mailbox if you saw a few $$$

[SergeM256]

I think it would be too time-consuming to open mailbox and read all mail, hoping to find some valuable info. Online bills and statements usually don't have full account number; usually they don't have address/zip code either. I don't think there is software that could search for a specific info in mailbox and present it in a usable form.

[thydavidcome]

How anyone can fall prey to a phishing scam is beyond me.

[b00dah]

C'mon dude... you can't imagin just HOW some people can fall prey... it's very easy. I'll just say this much to you... with advances in the "criminal" sectors of our globe, the bad guys are increasingly more sophisticated. If you aren't careful in just what you click on... no, what page you actually go to... you too my friend could fall prey. It's all a matter of keeping your eyes open at all times.

[rtuinenburg]

I have seen some pretty slick phishing scams, they look very authentic. I can see why a novice would fall for it. They use the high value brands to make it look so legit.

[fokkwp]

One problem is that banks send emails that look at lot like phishing scams, That is, they have a link and say "click here to access your account".

If all legitimate account managing entities - banks etc. - would *never* ask a user to "click on a link" it would be a lot easier to inform users to never click on a link that appears to come from your bank. At least we could help users avoid phishing scams that way. But as it is, it is hard under any circumstances to tell a phish from a real email from a bank, if the device it uses is "click here".

[awbomber]

My bank does not and has promised never to put any links to their site in e-mail correspondence. I'm not sure I would stick with a bank that doesn't take this most rudimentary of precautions.

[wahoospa]

Yesterday when I read about this I went to the pastebin.ca site before they removed the list and also saw some bellsouth.net email names with passwords.

[n3td3v]

This industry-wide phishing scam must be deeply embarassing for The Department of Homeland Security which is currently running a "National Cyber Security Awareness Month".

[catbutt5]

"deeply embarassing"... I highly doubt that.

I don't believe "keeping morons from giving up their passwords to anyone who asks" is one of their mandates.

Enough shifting blame...

[n3td3v]

catbutt5,

Obvious to me the whole thing has been orchestrated by elements of US government to coincide with the start of national cyber security awareness month, or a very big coincidence.

[captain_numerica]

@n3td3v - Do you really believe that? (Honest question)

[linuxroadwarrior]

Tsk , tsk. The net unaware are always the prey, are they not? If they don't understand the net, stay off. That's like going into a war torn country without understanding their language and culture.

[Michichael]

Breaking news - hackers exploit stupid people. In other groundbreaking stories, water is wet.

[captain_numerica]

Why do these articles always attract the hydrogen dioxide fanboys. I'm so tired of your "greater than carbon" attitudes. :P

[lildimsum7]

seriously, it's the idiots that get phished. it's the dumb people's faults for logging in to phishers

The blame for these successful phishing attacks lies with the illiterate and naive users who gullibly succumb to obvious fakes that wouldn't fool your normal 7th grader. But face it - many, many users didn't graduate from high school, or are someone's doddering grandparent. So the real culprits are the software designers who design the internet to be friendly to geeks and IT professionals, instead of your average joe. How about taking responsibility for security and make the geeks jump through hoops to do advanced computing instead of expecting some dope to understand how to install and maintain security programs and screen bogus emails. Wouldn't that save us all tons of money and time?

[BethJones-Sophos]

There's a whole lot more to this than just "people being gullible". This wasn't a single phish attack. This was a multi-vectored attack, using email phish, and probably keyloggers as well as rogue social network applications. Here at Sophos we saw a number of "kid culture" passwords, as well as these weak passwords. See

http://www.sophos.com/blogs/chetw/g/2009/10/06/hotmail-heist-update-release/
http://www.sophos.com/blogs/sophoslabs/v/post/6719

It's not the fault of the folks who designed the internet, nor the email providers. The strongest password in the world won't matter if you hand it over to someone, either to a person on the street or behind a screen.

[josephadeo]

"The strongest password in the world won't matter if you hand it over to someone, either to a person on the street or behind a screen."

True, but isn't that proof that email providers need to offer better encryption? I work for VeriSign and see of validation for two factor authentication here, because in those instances leaking the world's strongest (or weakest) password won't matter if you don't have the proper token. So maybe it isn't totally the fault of the email providers except indirectly, since there are potentially helpful technologies out there they aren't taking advantage of (probably due to financial reasons, to keep the email free?).

[bluemist9999]

I read that some security researchers went into a Starbucks and offered the people waiting in line free coffee if the people told the researchers their passwords.

Not only did a fair number of people give their passwords, some even told how they made them (such as "I take the first 3 letters of the month and add my birthday")

The best security really can't stop clueless people.