HotMail Phishing. Were you caught? Or did you swim away.

[zalternate]

So the simplest of Phishing schemes is where that great new site you just joined, wants your email address and password, to be able to automatically send all your friends invites(in your name) to the new site. So would you give a stranger the keys to your car, so the stranger can show it to all your friends quicker than you can?

Another is where you get an email, supposedly from Ebay or PayPal, saying your account has been violated and please click on the links below to enter your account name and password to be able to confirm if your account was indeed hijacked. The quirk in the email is that the recommended link that is supposedly 'Secure', is the link to the fake Ebay/PayPal site. And the 'standard'  link is usually to the real Ebay/PayPal.

http://www.crn.com/security/220301140;jsessionid=RFTTUVYP4K0GPQE1GHPSKH4ATMY32JVN

 Microsoft Admits Phishing Attack Picked Up Hotmail Users' Details

By Joseph F. Kovar, ChannelWeb

7:55 PM EDT Mon. Oct. 05, 2009

Microsoft (NSDQ:MSFT) on Monday afternoon confirmed reports that hackers got access to several thousands of Windows Live Hotmail customers' credentials through a possible phishing attack.

Microsoft wrote in a blog posted on its Windows Live site that the customer data was exposed due to a likely phishing scheme.

The hack was first reported Monday morning by the Neowin blog site.

In the blog, the writing of which was not attributed to a specific individual but instead to the "Windows Live team," Microsoft late Wednesday afternoon wrote that it was taking measures to block access to all the accounts that were exposed.

Microsoft is also providing resources to help users reclaim their accounts.

Neowin reported that details of the accounts of users who use hotmail.com, msn.com, and live.com to access Hotmail were posted on-line at a site used by developers to share code, and that copies of the list were posted in other locations.

At least 10,000 accounts starting with the letters "A" and "B" were exposed, but Neowin said this suggests that there could be additional lists of users' accounts.

Microsoft, in its response, said that it has requested that the users' credentials be removed, and that it has launched an investigation into the potential customer impact of the breach.

The hack was not a breach of internal Microsoft data, the company wrote.

Microsoft also used its blog to warn users against phishing in general.

"Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software," Microsoft said.

Microsoft also told victims of a phishing scheme to update their account information and change their password write away, and gave a step-by-step list of things to do if one falls prey to a phishing attack.

On the Neowin blog, several readers responded to the story with a warning that phishing attacks are not a result of Web site security problems, but the result of user carelessness.

When one respondent, "DomZ," wrote that the attack seems like a massive security breach, another respondent, "Coth," wrote, "phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address." (sic)

Coth's response was echoed by "_dandy_," who gave an example of the kind of user activity that leads to successful phishing attacks.

"Twice now in the last month or so, I've had to explain to some of my acquaintances that a site that asks you for your Messenger credentials in order to have it show you who's got you marked as blocked is nothing but a login harvester," _dandy_ wrote.

Another respondent, "+Iakobos," wrote that, while not all the accounts may have been real, users in general need to be careful. "I don't understand how people can be stupid enough to give their live details away to phishing scams," +Iakobos wrote.

[zalternate]

Oh, by the way. Gmail and Yahoo, etc.,  and something called AOL, email services Phished also.

http://www.theregister.co.uk/2009/10/06/gmail_webmail_phish/

Gmail, AOL, Yahoo! all hit by webmail phishing scam

I can see my address from here

By John Leyden

[mudmanc4]

Thanks , I know that most people just click, punch in there numbers , and go, damn, it didn't go through , hmm, try again. 

Iv'e noticed this from facebook, paypal, and several other sites, but those two the most, (jeeze facbook and myspace are covens of viral, fraudulent tracking, tracing , nasty gathering place for harvesting personal information wow !! ) I pay close attention to the certificates of any site , so if it's not in my store and valid, b-bye now..... it shows up if I'm not paying attention. Plus I toss them regular, so I sometimes run into small hold ups , but whats wrong with looking at the certificate of someplace your typing in vital information. Takes two seconds to move your eye's to the thing.

[zalternate]

Also to note, is that trojans can capture your keystrokes(website, username, password) on your computer or take images(screen capture) of content on your monitor to see information on some sites.

So take 15 minutes and Scan for bugs in your system.

MalwareBytes. Anti-Malware.  Free.

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=10896905

Looks like some Phishermen will be spending a few weeks on ice.

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=220301571

One Hundred Phishers Charged In Largest Cybercrime Case

A two-year international phishing investigation involving the FBI and authorities in Egypt has led to charges against 53 people in the U.S. and 47 overseas.

By Thomas Claburn

InformationWeek

October 7, 2009 04:47 PM

The FBI on Wednesday announced that it had charged 53 defendants, the largest number ever charged in a cybercrime case, following a multinational investigation into a phishing scheme that operated in the United States and Egypt.

Thirty-three of the 53 defendants named in the indictment have been arrested, the FBI said, and several others are being sought. The investigation, dubbed "Operation Phish Phry," began in 2007.

Authorities in Egypt have charged 47 defendants linked to the phishing operation.

Phishing is a form of social engineering that attempts to convince Internet users, via e-mail or other means, to provide online credentials via e-mail, Web submission form, or some other method under false pretenses. Often, phishers create fraudulent Web sites that have been designed to look like legitimate Web sites as a way to encourage site visitors to supply sensitive information, such as online banking login details.

Earlier this week, Microsoft (NSDQ: MSFT) warned that "several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site due to a likely phishing scheme." The online attack also appears to have affected users of other online e-mail services, including Google Gmail, and Yahoo (NSDQ: YHOO) Mail.

According to the FBI, the U.S.-Egypt phishing operation collected personal information from thousands of victims and used that information to defraud U.S. banks. Hackers based in Egypt allegedly captured banking information and other personal details, then supplied that information to associates in the U.S. who then withdrew funds using the stolen credentials and wired back a portion of the proceeds to Egypt.

"The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed," said Keith Bolcar, acting assistant director of the FBI in Los Angeles, in a statement. "Criminally savvy groups recruit here and abroad to pool tactics and skills necessary to commit organized theft facilitated by the computer, including hacking, fraud and identity theft, with a common greed and shared willingness to victimize Americans."

All 53 defendants in the U.S. face charges of conspiracy to commit bank fraud and wire fraud, which carry a maximum sentence of 20 years in prison. Some of the defendants also face additional charges that could lead to longer terms.