Microsoft and Google not to blame for phishing attacks

An ethical hacker has claimed that there was nothing that Microsoft and Google could have done about the much-publicised phishing attacks that have hit their email services - and that it has happened many times in the past.

Ethical hacker and digital forensics investigator Neil O'Neil, of secure payments company the Logic Group, made that conclusion after examining the first 10,000 phished Hotmail passwords.

Speaking to IT PRO, he explained that these types of phishing incidents were common, but that in this case the damage was made worse when the location of the passwords were made public, after someone posted them on pastebin.com.

O'Neil said it was one of the first times that an actual list of phished accounts have been made public, but added that while 10,000 accounts may sound like a big number, it was a drop in the ocean compared to the 300-plus million Hotmail accounts.

"It could have been someone looking for kudos or press, two hackers falling out a lot of the time people are doing it just because they can. They love to bloody nose names like Microsoft and Google," he said.

O'Neil said that there was no way the companies could have defended themselves against users getting phished for passwords, and indeed it was certain that this type of incident would happen again.

He said that no blame should put on the victims either, as emails scams were becoming so sophisticated that the "man in the street" would struggle to know what was real and what was fake.

O'Neil added that email was "inherently insecure", and that it couldn't be protected unless users turned to encrypted email, which is only commonly used by organisations like the government and the military.

O'Neil did have criticism for Neowin, the website which originally reported the passwords' appearance on pastebin.com. He said the detail in their report made it easier for hackers to find the passwords, even after they had been deleted.

"The internet is effectively copied every night," said O'Neil. "There are many servers around the globe that hold copies of the internet. The list came out of pastebin.com and once it has been posted on the internet is cached to other servers for up to 14 days."

"So you're able to go and if you know where to go, you can get this information off other servers, even though the original site has closed."

O'Neil said that anything on the internet, even if deleted, can be copied. This was how he managed to find the 10,000 phished Hotmail accounts.

He said that hackers knew the search strings to get the information, because the press reports naming the site lead them straight to the information.

"They should have been more vague [with where the phished passwords are]," O'Neil said of Neowin. "By saying they were from pastebin.com, that really reduces where you have to search for the information."