MICROSOFT’S HOTMAIL and Google’s Gmail are among several e-mail services that suffered a substantial phishing attack in the past week.
More than 30,000 people had their account details and passwords published on the website pastebin.com.
Other services affected included Yahoo, Comcast and AOL’s e-mail systems.
The operators of these services said the attack did not hit their own systems. Instead the breach was the result of a phishing scam.
Phishing is a social engineering confidence trick, often using what is known as malicious software or malware, whereby e-mail users unwittingly give up personal data.
The tactic is proving increasingly popular in organised crime as it requires only a tiny percentage of targets to fall for the trick to prove profitable.
“There was a mass-mailing of phishing e-mails to millions of addresses at the various sites,” said Conor Flynn, technical director with IT security firm Rits.
“It was very successful from a social engineering perspective in making the user believe it was an authorised e-mail [from their service provider].”
Phishing typically redirects users to a website that is designed to look like the site of a trusted party such as an e-mail service provider or bank. Users then input personal data which is stored by the malicious parties.
Attacks of this nature are common but this particular incident was unusual as the perpetrators chose to publish the details they gathered publicly on a website. “It looks like there was no attempt by the authors of the malware that gathered the data to exploit it,” Mr Flynn said. “That doesn’t appear to have been the motivating factor.
“It’s unusual that the credentials were dumped on to a public website.”
Mr Flynn said there could be several motivating factors for such an action.
The authors may have been seeking to advertise their services to organised crime figures by showing how effective their methods are.
Alternatively, Mr Flynn said it could have been a test run for a future attack by the originators of the scam.
Such skills are particularly lucrative for criminals, as online banking fraud has now overtaken credit-card fraud.
“In Ireland we are seeing a significant increase in the targeted phishing attacks on online banking systems.
“This is worth hundreds of thousands of euro per annum and that’s just in Ireland,” said Mr Flynn.
Mr Flynn advised internet users to ensure they have up-to-date anti-virus systems and firewalls on their computers before going online, to help guard against such attacks. “They should be the equivalent of putting on your seatbelt when you get in a car,” he said.
