June 3, 2011 at 12:19 PM ET
Gmail hasn't been the only Web-based email program under attack; some users of Hotmail and Yahoo Mail are also having the same problem. While Google said it believes its attacks emanated from China, that's not necessarily the case with Hotmail and Yahoo Mail; still, there are "significant similarities" in the attacks themselves, says Trend Micro.
"The objective of the attackers appears to be to gain access to the target’s Webmail accounts in order to monitor his/her communications and, possibly, to stage future attacks," says Nart Villeneuve, senior threat researcher for the software security firm, in a blog posting. "In the recent case revealed by Google, the attackers used a phishing attack to gain access to the target’s Gmail account then proceeded to add their own email addresses to the "forwarding and delegation settings," allowing them to send and receive email messages via the compromised accounts."
Problems with Microsoft's Hotmail security were noted by Trend Micro a few weeks ago in this report. But Trend Micro spokesman Michael Sweeny said in an email to msnbc.com that Microsoft "already patched last week the vulnerability that we identified." (Msnbc.com is a joint venture of Microsoft and NBC Universal.)
Villeneuve says that the new phishing effort is particularly pernicious. "Rather than clicking a malicious link, even the simple act of previewing the malicious email message can compromise a user’s account," he wrote, citing an example of a phishing email that "pretended to be from the Facebook security team."
And, in addition to Gmail and Hotmail users, Yahoo Mail users "have also been targeted," he said:
We recently alerted Yahoo of an attempt to exploit Yahoo Mail by stealing users’ cookies in order to gain access to their email accounts. While this attempt appeared to fail, it does signify that attackers are attempting to attack Yahoo Mail users as well."
The same email address that attempted to exploit Yahoo! Mail was used in targeted attacks featuring malicious Mirosoft Excel spreadsheets in March. This demonstrates the diversity of exploits that are available to attackers.
These events demonstrate that in addition to targeted attacks that encourage users to open malicious attachments, usually .PDF and .DOC files, attackers are also attempting to exploit vulnerabilities in popular Webmail services in order to compromise Webmail accounts, to monitor communications, and to gain information in order to stage future attacks.
Once the attackers know what software are installed on a target’s computer, including antivirus products, they can craft a precise attack targeting any vulnerable software. Such an attack will then have a high probability of success.
There are some signposts to help you identify phishing emails, including spelling and grammar errors "that help indicate that it did not originate from the expected source," Villeneuve writes. To learn more about targeted attacks, he points to a Trend Micro article, "How Sophisticated Are Targeted Malware Attacks?" McAfee also has more information on phishing here. Yahoo has information here, as well as at its Security Center.
It's not clear how much of an issue the problem is for Yahoo or Hotmail customers.
Microsoft, via a spokesperson, said it is "not aware of any broad phishing attacks targeting our Hotmail customers. We take the security and privacy of our customers very seriously; phishing attacks are a persistent industry challenge."
The company recommends users check its online privacy and safety site, as well as this Windows Live page, but also offers this advice to those who think they have been the victim of a phishing scheme:
People who think that they have responded to a phishing scam with personal or financial information or entered this information into a fake website should take four key steps: (1) report the incident to the proper authorities, (2) change the passwords on all your online accounts, (3) review your credit reports and your bank and credit card statements, and (4) make sure you are using the latest technologies to help protect yourself from future scams.
If you have given out your credit card information, contact your credit company right away. The sooner a company knows your account may have been compromised, the easier it will be for them to help protect you.
Next, contact the company that you believe was forged. Remember to contact the organization directly, not through the e-mail message you received. Or call the organization's toll-free number and speak to a customer service representative. For Microsoft, call the PC Safety hotline at 1-866-PCSAFETY.
Then, report the incident to the proper authorities. Send an e-mail to email@example.com to report it to the Federal Trade Commission and to firstname.lastname@example.org to report it to the Anti-Phishing Working Group.
The second step is to change the passwords on all your online accounts. The reason for this is that a lot of people use the same password for multiple accounts. Start with passwords that are related to financial institutions or personal information. If you think someone has accessed your e-mail account, change your password immediately.
The third step is to review your bank and credit card statements and your credit report monthly for unexplained charges, inquiries or activity that you didn’t initiate.
Finally, make sure you use the latest products, such as anti-spam and anti-phishing capabilities in e-mail services, phishing filters in Web browsers and other services to help warn and protect you from online scams.
One Hotmail user, Christopher Polasek, said he found out about the malware attempt on Monday afternoon when he got a call from his grandmother "asking if I emailed her. I had not and she advised she got an email from me with just a link."
She thought the link was photos of her great-grandchildren, and clicked on what turned out to be "not an appropriate" site, Polasek said. And he quickly learned that "somehow everyone on my contact list had been sent this same information via my contact list."
He followed up with an email to his contacts letting them know "my account had been hijacked and not to trust links sent by my email account." And he said he also deleted his contact list and changed his password. It was all a lot of work and aggravation — but it's now a reality in our Web-based world.