Microsoft and Google not to blame for phishing attacks

Were the original reporters of the phished passwords at fault by leading hackers straight to where they could search for copies of the information?

An ethical hacker has claimed that there was nothing that Microsoft and Google could have done about the much-publicised phishing attacks that have hit their email services - and that it has happened many times in the past.

Ethical hacker and digital forensics investigator Neil O'Neil, of secure payments company the Logic Group, made that conclusion after examining the first 10,000 phished Hotmail passwords.

Speaking to IT PRO, he explained that these types of phishing incidents were common, but that in this case the damage was made worse when the location of the passwords were made public, after someone posted them on pastebin.com.

O'Neil said it was one of the first times that an actual list of phished accounts have been made public, but added that while 10,000 accounts may sound like a big number, it was a drop in the ocean compared to the 300-plus million Hotmail accounts.

"It could have been someone looking for kudos or press, two hackers falling out a lot of the time people are doing it just because they can. They love to bloody nose names like Microsoft and Google," he said.

O'Neil said that there was no way the companies could have defended themselves against users getting phished for passwords, and indeed it was certain that this type of incident would happen again.

He said that no blame should put on the victims either, as emails scams were becoming so sophisticated that the "man in the street" would struggle to know what was real and what was fake.

O'Neil added that email was "inherently insecure", and that it couldn't be protected unless users turned to encrypted email, which is only commonly used by organisations like the government and the military.

O'Neil did have criticism for Neowin, the website which originally reported the passwords' appearance on pastebin.com. He said the detail in their report made it easier for hackers to find the passwords, even after they had been deleted.

"The internet is effectively copied every night," said O'Neil. "There are many servers around the globe that hold copies of the internet. The list came out of pastebin.com and once it has been posted on the internet is cached to other servers for up to 14 days."

"So you're able to go and if you know where to go, you can get this information off other servers, even though the original site has closed."

O'Neil said that anything on the internet, even if deleted, can be copied. This was how he managed to find the 10,000 phished Hotmail accounts.

He said that hackers knew the search strings to get the information, because the press reports naming the site lead them straight to the information.

"They should have been more vague [with where the phished passwords are]," O'Neil said of Neowin. "By saying they were from pastebin.com, that really reduces where you have to search for the information."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020
Ransomwiz lets you test your security with simulated ransomware
ransomware

Ransomwiz lets you test your security with simulated ransomware

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020