IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft and Google not to blame for phishing attacks

Were the original reporters of the phished passwords at fault by leading hackers straight to where they could search for copies of the information?

An ethical hacker has claimed that there was nothing that Microsoft and Google could have done about the much-publicised phishing attacks that have hit their email services - and that it has happened many times in the past.

Ethical hacker and digital forensics investigator Neil O'Neil, of secure payments company the Logic Group, made that conclusion after examining the first 10,000 phished Hotmail passwords.

Speaking to IT PRO, he explained that these types of phishing incidents were common, but that in this case the damage was made worse when the location of the passwords were made public, after someone posted them on pastebin.com.

O'Neil said it was one of the first times that an actual list of phished accounts have been made public, but added that while 10,000 accounts may sound like a big number, it was a drop in the ocean compared to the 300-plus million Hotmail accounts.

"It could have been someone looking for kudos or press, two hackers falling out a lot of the time people are doing it just because they can. They love to bloody nose names like Microsoft and Google," he said.

O'Neil said that there was no way the companies could have defended themselves against users getting phished for passwords, and indeed it was certain that this type of incident would happen again.

He said that no blame should put on the victims either, as emails scams were becoming so sophisticated that the "man in the street" would struggle to know what was real and what was fake.

O'Neil added that email was "inherently insecure", and that it couldn't be protected unless users turned to encrypted email, which is only commonly used by organisations like the government and the military.

O'Neil did have criticism for Neowin, the website which originally reported the passwords' appearance on pastebin.com. He said the detail in their report made it easier for hackers to find the passwords, even after they had been deleted.

"The internet is effectively copied every night," said O'Neil. "There are many servers around the globe that hold copies of the internet. The list came out of pastebin.com and once it has been posted on the internet is cached to other servers for up to 14 days."

"So you're able to go and if you know where to go, you can get this information off other servers, even though the original site has closed."

O'Neil said that anything on the internet, even if deleted, can be copied. This was how he managed to find the 10,000 phished Hotmail accounts.

He said that hackers knew the search strings to get the information, because the press reports naming the site lead them straight to the information.

"They should have been more vague [with where the phished passwords are]," O'Neil said of Neowin. "By saying they were from pastebin.com, that really reduces where you have to search for the information."

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Record for the largest ever HTTPS DDoS attack smashed once again
Network & Internet

Record for the largest ever HTTPS DDoS attack smashed once again

19 Aug 2022
Google adds prevalence visualisation, curated threat detection to Chronicle suite
cloud security

Google adds prevalence visualisation, curated threat detection to Chronicle suite

18 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022
Google urges Apple to embrace RCS as standard, ditch SMS for Android texts
Mobile

Google urges Apple to embrace RCS as standard, ditch SMS for Android texts

10 Aug 2022

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022