Security Watch

Hotmail Hooked in Phishing Scheme

Numerous Hotmail users got some unwanted exposure over the past weekend. Plus, SQL injection attacks are making a quiet return.

• By Jabulani Leffall
• 10/06/2009

Some people like to go fishing on the weekends, which, depending on what's biting, can be a good thing. But when it's hackers doing the "phishing," it's never a good thing. In fact, on Monday, it meant headaches for network administrators and security personnel.

Microsoft isn't too thrilled, either.

Redmond said Monday that due to a likely phishing scheme, "several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site" over the weekend.

"Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers," Microsoft said on its Windows Live team blog. "As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."

Hotmail has had its share of problems recently. In late August, for instance, Microsoft warned that account "hijacking" was becoming a problem for some Hotmail users, and that users who log in to hijacked accounts unwittingly share them with hackers.

This latest phishing attack began when Neowin.net announced an anonymous user had posted the usernames and passwords of more than 10,000 accounts (with domain names that included hotmail.com, msn.com and live.com) on a site called Pastebin.com. The post has been removed from the site.

Microsoft wouldn't specify on which third-party site the breached data actually appeared. It would only say in a statement that "[p]hishing is an industry-wide problem and Microsoft is committed to helping consumers have a safe, secure and positive online experience. Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources."

The company further urged users to renew their passwords every 90 days, for administrators to verify credentials, and for everyone to keep anti-virus software up-to-date.

Return of the SQL Injection Attack
Security vendor SecureWorks reported an increase in SQL injection attacks against its own clients last week.

This, after another security researcher at the University of Alabama at Birmingham (UAB) said that a botnet associated with SQL injection attacks called Asprox is once again on the prowl.

"This botnet is back to its old tricks of attacking vulnerable [sic] the ASP pages on IIS Servers trying to add a malicious JavaScript link to legitimate Web pages by manipulating the underlying Microsoft SQL servers," wrote Gary Warner, director of research in computer forensics at UAB, on this blog.

Microsoft's SQL Server database application has long been a popular attack vector. For more than a year, popular Web sites and businesses large and small have been hit by SQL injection incursions. There are two common ways enterprise administrators can keep such attacks at bay. First, tighten up security in custom application code. Next, control access privileges to the enterprise database at the application level. At the server level, use server logs to monitor HTTP requests. Query strings are helpful, too, but are more meticulous than just controlling who gets into SQL in the first place.

More SMB Exploits, More Questions
As it approaches its October security update cycle, Redmond continues to downplay the effectiveness of recently published exploits for its Server Message Block (SMB) Version 2 programs sitting on Vista SP1 and SP2, and Windows Server 2008 SP1 and SP2.

Microsoft said that the new vulnerabilities disclosed last week by a bevy of security researchers -- including those published on the Metasploit security test Web site by Harmony Security's Stephen Fewer -- are already addressed by Security Advisory 975497.

Everyone else will have to wait for Microsoft's patch rollout this month, which is scheduled for Oct. 13. Microsoft is mum on whether SMB will be on the hotfix menu, but it's becoming increasingly unlikely that Microsoft will come out with anything substantive before then, if it does at all.