In a blog post, published Thursday, Villeneuve outlined other attacks, including one that leveraged a Hotmail Web programming bug to suck email messages from users’ accounts. This attack worked by tricking victims into reading a maliciously encoded email message. It hit Taiwanese victims.


Best Microsoft MCTS Training, Microsoft MCITP Training at


Another attack, spotted recently by Trend Micro, attempted to break into Yahoo Mail accounts by stealing the browser’s cookie files and then using that information to try and trick Yahoo’s servers into divulging sensitive information, Villneuve said. However, it looks like this attack didn’t actually work thanks to technical difficulties, he said.

Microsoft was unable to immediately comment for this story, but earlier it did confirm that it fixed the Hotmail flaw. A Yahoo spokeswoman declined to comment on Trend Micro’s report, but said that the company does “take security very seriously.”

“We invest heavily in protective measures to ensure the security of our users and their data,” the Yahoo spokeswoman said in an email message. “We also use a multi-faceted approach to further protect against spam, phishing and other online scams, which includes rapid response, industry collaboration, public policy efforts, and consumer awareness.”

Although Gmail is now getting the most attention, Yahoo Mail is actually the most targeted Web mail platform, according to one researcher, who spoke on condition of anonymity because he is involved in sensitive investigations into these attacks. “It’s been going on for a very long time,” he said. “Campaigns go on every day.”