IT Компромат - правда о HiTech

The BBC reports that Gmail and Yahoo were also targeted.

It seems unlikely to me that this would be a hack where someone would break into Hotmail's servers and access the account information that way. It is much more likely that the spammers got the information by social engineering. Why is this more likely? For one, they'd have to get past all of the firewalls and security measures that Microsoft/Hotmail have to keep intruders out. While not impossible, it is not easy.

But secondly, even if a hacker/spammer were to break in and steal the account information, it is very unlikely that they could access the associated passwords. Passwords are not stored in clear-text, they are stored encrypted using a one-way hash. Actually, firms with good security store them this way; while I don't work in Hotmail, I am pretty certain that they would do the same because it is standard Microsoft policy. The point is that a hacker couldn't get a user's password because all he would have access to is a text string that wouldn't work when entering it into the web portal. This suggests that the spammer tricked the user into handing over their user account and password through some other mechanism.

Whilst I suspect social engineering, I do not suspect security-question guessing. Note that while vice-presidential candidate Sarah Palin had her account hacked by somebody guessing her login information, this is not a scalable model for spammers. Palin is well known and you could possibly guess her information simply by reading about her online. But to access 10,000 accounts that way is too time consuming and the people you are hacking are unknown to you. You wouldn't be able to guess their information, other than by chance. Random guessing is useless.

So how did this hacker acquire this information?

The general consensus is that these were victims of phishing scams, most likely involving social engineering. It would look something like this: the Hotmail user receives a spam message in their inbox, probably a message that looks like it is coming from Windows Live. There is some call to action wherein the spammer says that Hotmail is upgrading their infrastructure and requires users to login to their account and verify their credentials. Furthermore, there was probably some bot attack that broke Hotmail's CAPTCHA service on the sign up page, so these spam messages were sent from Hotmail internally. These types of spams can be more difficult to filter than when it comes from another service. So we have Hotmail users spamming Hotmail users, possibly with a From: address like "Windows Live Mail Security <live.security.something@...>". Some users did not recognize that this was a phishing scam, entered in their credentials and the damage was done.

That's one likely scenario.

The problem is that there are so many