Passwords -Beware!

September 30th, 2012 by Stephen Jones Leave a reply »

Beware: The next time you get an email from privacy@microsoft.com in your inbox, just click Delete.

You’re likely to be the target of a phishing scam designed to steal Gmail, Yahoo, Windows Live and AOL passwords, according to Naked Security, a blog by IT security firm Sophos.

The emails are Titled, “Microsoft Windows Update,” and urges recipients to verify their email accounts by entering personal login information.

Dear Windows User,

It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.

This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click in the Verify button below and enter your login information on the following page to Confirm your records.

VERIFY

Thank you,
Microsoft Windows Team.

While the hoax is pretty slick, eagle-eye Internet users will notice odd instances of capitalization and grammar that betray the email’s insidious intentions.Clicking on the “verify” link leads you to a third-party website that purports to be Microsoft.com, but  isn’t , . Here, users are warned that their computers are out-of-date and at high risk; they are then “required” to select one of four email providers and enter their username and password. Naturally, this information is sent directly to the scammers — putting recipients at risk of online identity theft.

Meanwhile last week the world’s largest professional organization for computer engineers exposed user names, plaintext passwords, and website activity for almost 100,000 of its members, some of whom are employees of Apple, Google, IBM, and other large companies.

 The exposure provides outsiders with a candid view of the password choices of some of the world’s most influential software and hardware engineers. Many Internet users employ the same or a similar password for multiple accounts, with the average person using just 6.5 passcodes to access 25 separate accounts, according to one study.

 Dragusin anlysis revealed that  a statistically significant sample of the exposed passwords are so overused that those typically take less than a second to be cracked by freely available programs such as Hashcat and John the Ripper. The password “123456″ (minus the quotes) was used 271 times, while “ieee2012″, “12345678″, “123456789″, and “password” were used 270, 246, 222, and 109 times respectively. Domain names in some of the exposed e-mail addresses included uspto.gov and ieee.org, among others.

Advertisement

Leave a Reply

You must be logged in to post a comment.