Microsoft and Google not to blame for phishing attacks

Were the original reporters of the phished passwords at fault by leading hackers straight to where they could search for copies of the information?

An ethical hacker has claimed that there was nothing that Microsoft and Google could have done about the much-publicised phishing attacks that have hit their email services - and that it has happened many times in the past.

Ethical hacker and digital forensics investigator Neil O'Neil, of secure payments company the Logic Group, made that conclusion after examining the first 10,000 phished Hotmail passwords.

Speaking to IT PRO, he explained that these types of phishing incidents were common, but that in this case the damage was made worse when the location of the passwords were made public, after someone posted them on pastebin.com.

O'Neil said it was one of the first times that an actual list of phished accounts have been made public, but added that while 10,000 accounts may sound like a big number, it was a drop in the ocean compared to the 300-plus million Hotmail accounts.

"It could have been someone looking for kudos or press, two hackers falling out a lot of the time people are doing it just because they can. They love to bloody nose names like Microsoft and Google," he said.

O'Neil said that there was no way the companies could have defended themselves against users getting phished for passwords, and indeed it was certain that this type of incident would happen again.

He said that no blame should put on the victims either, as emails scams were becoming so sophisticated that the "man in the street" would struggle to know what was real and what was fake.

O'Neil added that email was "inherently insecure", and that it couldn't be protected unless users turned to encrypted email, which is only commonly used by organisations like the government and the military.

O'Neil did have criticism for Neowin, the website which originally reported the passwords' appearance on pastebin.com. He said the detail in their report made it easier for hackers to find the passwords, even after they had been deleted.

"The internet is effectively copied every night," said O'Neil. "There are many servers around the globe that hold copies of the internet. The list came out of pastebin.com and once it has been posted on the internet is cached to other servers for up to 14 days."

"So you're able to go and if you know where to go, you can get this information off other servers, even though the original site has closed."

O'Neil said that anything on the internet, even if deleted, can be copied. This was how he managed to find the 10,000 phished Hotmail accounts.

He said that hackers knew the search strings to get the information, because the press reports naming the site lead them straight to the information.

"They should have been more vague [with where the phished passwords are]," O'Neil said of Neowin. "By saying they were from pastebin.com, that really reduces where you have to search for the information."

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Google banned from importing patent-infringing tech following Sonos IP victory
Policy & legislation

Google banned from importing patent-infringing tech following Sonos IP victory

7 Jan 2022
Google, Facebook fined €210 million for making it difficult for users to reject cookies
Policy & legislation

Google, Facebook fined €210 million for making it difficult for users to reject cookies

6 Jan 2022
Google is working with leading PC manufacturers to improve Android on Windows
Google Android

Google is working with leading PC manufacturers to improve Android on Windows

6 Jan 2022
Google Cloud acquires Israeli security startup Siemplify
cloud security

Google Cloud acquires Israeli security startup Siemplify

5 Jan 2022

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022