E-Mail Mishap

Users of Hotmail and other Web mail services could be on the hot seat.

As many as 10,000 Hotmail usernames and passwords were posted online over the weekend, in what appears to be a massive phishing attack, the technology news site Neowin.net reported Monday. The list, posted on a code-sharing site called pastebin.com, contained user names beginning with the letters A and B, Neowin reported, suggesting that the list (which has since been taken down) could be a small part of a larger breach.

By Tuesday, additional lists began to appear containing e-mail account details for Gmail, Yahoo, Comcast, Earthlink and other third-party e-mail hosting services, expanding the scope of the breach to an estimated 20,000 names.

Notified by Neowin of the initial posting, Microsoft Corp. confirmed the breach. The Redmond, Wash., software company said that its systems had not been hacked, and suggested that users had been conned into giving up their account details.

The New York Times, commenting on the Neowin report in its Gadgetwise blog, noted that e-mail accounts are especially coveted by hackers because they can be used to find or reset passwords for other online accounts (including financial accounts).

Trickier Trojan

The bad guys have found a way to prevent fraudulent transactions from appearing in consumers' online banking records.

This work is accomplished by the URLZone Trojan, which "is hooked into your browser and dynamically modifies the text in the html" code used to write Web sites, Yuval Ben-Itzhak, the chief technology officer of the computer security firm Finjan Software Inc., told Wired.com for a Sept. 30 article in its "Threat Level" blog.

"They actually modify and change the statement you see there," Ben-Itzhak said.

People with infected machines would see only the transactions that the scammers want them to see, and unless the victims check their balances from an uninfected machine or another channel, they may not realize anything is amiss.

"If you don't know it, you won't report it to the bank," he said.

URLZone can also hide from banks' fraud detection systems, which may be on the lookout for mysterious transactions that suddenly drain a user's account. For example, the Trojan withdraws random amounts of money to avoid establishing a pattern.

Finjan, of San Jose, said it located a Ukranian server that hosted a program that was sending instructions to the Trojan and had the command program taken offline. Before that happened, URLZone was able to compromise 6,400 computers, according to data Finjan said it found with the command program.

The incident Finjan observed targeted only German banks.

Foul Call

Former NBA player Rumeal Robinson has been charged with multiple bank crimes, and also faces a civil suit from the woman who adopted him when he was 12 and has accused him of swindling her out of her home.

Helen Ford, 65, said that Robinson approached her in 2003 and offered to help her pay the mortgage on her longtime home in Cambridge, Mass. Instead, the document she signed as part of that process allegedly gave her son the deed, according to an Oct. 1 article in the Cambridge Chronicle.

Ford raised Robinson, who had been abandoned by his biological mother, along with her five biological children and 15 foster children, the article said. Robinson became famous in 1989 for making a pair of last-second free throws in the 1989 NCAA championship to help the University of Michigan Wolverines defeat Seton Hall University. He later played for several NBA teams and in Europe.

Ford said she discovered the alleged swindle when she received a court notice in 2007 instructing her to leave her home by February 2008 (she was able to extend her stay). According to the article, Robinson deeded the property to a business associate in 2006. When the associate defaulted on a loan, a bank took ownership of the home, the Chronicle said.

The Federal Bureau of Investigation arrested Robinson last month in an unrelated incident. Robinson has pleaded not guilty to charges of conspiracy to commit bank fraud, bank bribery, false statement to a financial institution and wire fraud, the article said.

Extradited

Two Romanians have been extradited to the United States to face charges connected to a phishing scam involving U.S. bank accounts.

Petru Belbita, 25, was arrested in Montreal in January and extradited to the U.S. on Friday, according to an article published by Computerworld Sept. 29. Cornel Tonita, 28, was arrested in Croatia in July and extradited last month. Both have pleaded not guilty.

Ovidiu-Ionut Nicola-Roman, a third Romanian who allegedly conspired with the two others, has been convicted and was sentenced in March to four years in prison. Nicola-Roman was the first foreign national convicted in the U.S. on phishing charges, the article said.

Belbita and Tonita were identified in a May 2008 phishing crackdown by the Federal Bureau of Investigation, the article said. They allegedly employed people in the U.S. to withdraw cash from automated teller machines using stolen bank card data.

Exposures

Hackers reportedly used data from a New Jersey payroll company to trick its clients into handing over more sensitive information.

PayChoice, a unit of PAI Group Inc. of Moorestown, N.J., discovered Sept. 23 that it had been breached, and that the hackers had used the stolen data to contact its customers, The Washington Post's Brian Krebs reported in his Sept. 30 "Security Fix" column.

According to Krebs, the hackers gleaned enough details to craft convincing phishing e-mails, addressing recipients by name and even including parts of their PayChoice passwords. The phishing e-mails had a link to either a file or a Web site that would install a malicious program on users' computers.

Though the hackers had the PayChoice customers' payroll passwords, they sent out phishing e-mails to get access to clients' bank accounts, one expert told Krebs.

"In these kinds of attacks, there's a high probability that the fake e-mails will go to someone who has access to their employer's commercial bank account," Mike LaPilla, the manager of malicious code operations for VeriSign Inc.'s subsidiary iDefense, told Krebs.