A hotmail phishing scam that took over more than 10,000 accounts proved to be problematic as a combination of severe hacking and good spelling made the attack particularly convincing.
Emails arrived seemingly from friends claiming to be in dire need and requiring money transfers. One claimed that the sender had been mugged in South Africa and needed some funds desperately.
A BBC article from back in October say that accounts and passwords had been published in several places online including pastebin.com since October 09, and that the accounts had been open for phishing scammers since then. One source said that hotmail addresses beginning with a or b had been intially targeted. Though Microsoft acknowledged the problem at the time, it seems they have done little to help – or warn – customers.
Graham Cluley, consultant at security firm Sophos, told BBC News the published list may just be a subset of a longer list of compromised accounts.
“We still don’t know the scale of the problem,” he said.
Confused customers were having a hard time getting any help from Microsoft. One told me she phoned Microsoft London, which turned out to be pretty useless in terms of customer support:
“I phoned and chose two of their options. The first could offer no support and referred me back to the web site. The second gave me another web site address, which I accessed. I filled in their e-mail form in great detail and they promised a response from their experts within 24 hrs. I duly received an automated reponse in my in-box shortly afterwards giving more links. When I clicked on these – guess what! back to the same forms with requests for my password and secret question! I have since resorted to writing to them – by letter.”
We’re not impressed.