Attacks illustrate vulnerabilities with Web-based e-mail services, which can let attackers into the corporate network, reports say.
Users of Hotmail and Yahoo Mail have had targeted attacks aimed at them similar to the attacks Google says have been directed at U.S. officials, political activists, and journalists who use Gmail, according to Trend Micro.
Google said earlier this week that it had disrupted a targeted phishing campaign against Gmail users that appeared to originate in China. The attackers were trying to monitor e-mails and use stolen passwords to change the settings in the accounts so that e-mails would be forwarded to their own accounts, Google said.
China has denied any responsibility and claims the U.S. is behind the "Internet war," according to The Associated Press.) Meanwhile, the FBI is investigating the Gmail attacks, officials told told CNET.
A Trend Micro blog post from yesterday says that Hotmail and Yahoo Mail users have separately been targets of similar attacks, in what appears to be a wave of attacks exploiting vulnerabilities in Web-based e-mail services.
"Trend Micro researchers in Taiwan revealed a phishing attack that exploited a vulnerability in Microsoft's Hotmail service. In fact, rather than clicking a malicious link, even the simple act of previewing the malicious e-mail message can compromise a user's account. This phishing e-mail pretended to be from the Facebook security team," the post said. "In addition to Gmail and Hotmail users, Yahoo Mail users have also been targeted. We recently alerted Yahoo of an attempt to exploit Yahoo Mail by stealing users' cookies in order to gain access to their e-mail accounts. While this attempt appeared to fail, it does signify that attackers are attempting to attack Yahoo Mail users as well."
Microsoft has fixed the issue with a security update, Trend Micro said in an earlier blog post.
John Scarrow, general manager of Microsoft Safety Services, provided this statement: "Microsoft is not aware of any Hotmail customers being targeted by the specific phishing attacks that occurred earlier this week. However, phishing attacks and other forms of abuse are a persistent industry challenge. Microsoft takes the security and privacy of our customers very seriously. We work hard to protect our customers and we actively prosecute malicious entities that violate the law through spam, phishing, and other attacks. Customer guidance on how to identify and deal with the issue can be found on the Microsoft Online Privacy and Safety site."
Meanwhile, Yahoo representatives did not immediately respond to an e-mail seeking comment.
Web-based e-mail accounts lack some of the defenses that corporate e-mail systems offer, Mila Parkour wrote in a post in February on her Contagio blog, which Google said had tipped it off to the attacks.
"Google, Yahoo, and other personal mail services do not offer the same protection against spoofing and malware as enterprise accounts," Parkour wrote. "In addition, it is often being checked at home in a relaxed atmosphere, which helps to catch the victim off guard, especially if it appears to arrive from a frequent contact. Some people have a habit of forwarding messages from enterprise accounts to their personal mail for saving or easy reading at home, which may potentially offer some sensitive information."
Updated 2:02 p.m. PT with FBI investigating Gmail attacks and 12:57 p.m. PT with information that Microsoft has fixed the Hotmail issue.