Question about hacking web-mail (hotmail) accounts

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Today I got a strange e-mail from a friend that I seldom have had e-mail
contact with.

He has a hotmail account, and header analysis shows that the e-mail did
indeed originate from hotmail.

The subject was simply "video.."

I've reproduced the message body as it appears in raw source format:

--------------5200e5eee77f48869a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a  alt="

"
id="
"
href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>

--------------5200e5eee77f48869a
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a  alt="

"
id="
"
href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>
--------------5200e5eee77f48869a

Everywhere you see "alpha-numeric-here" is where there was a string of
seemingly random alpha-numeric characters.  These strings were not
identical.

When viewed normally, there is only 1 line of text that says "Click here
to read this message".  That line is hyper-linked to a URL at the domain
cw9.me.  That domain appears to have been registered yesterday.

I'd like to hear your ideas as to what the link is supposed to do.  It
appears to be a track-back link of some sort (enabling the server to log
valid e-mail addresses).  It also seems to spawn a request to
maxmind.com (a domain that was blocked by my hosts file).  A simple http
request to cw9.com spawns this re-direction:

http://j.maxmind.com/app/geoip.js

If you try it, and look at geoip.js, you'll see a brief IP-geolocation
report your IP address.

If you try cw9.com in a browser without any web-blocking, it looks like
you get hit with a bunch of advertizing.

So if anyone wants to follow up on what is being attempted by this URL,
please post back your analysis.

I had my friend with the comprimized hotmail account login into his
account and check his sent folder.  Sure enough, there were lots of
examples of this e-mail being sent to all of his contacts.  In my case,
based on looking at the e-mail headers, the perp seems to have logged in
from (or through) an IP address in Argentina.

So, if anyone here knows anything about the operational details of how a
web-mail account gets hacked and used, here are my questions:

1) why doesn't the perp (or the automated process behind these
activities) delete the spams it sends from the victim's sent-mail
folder?

2) why doesn't the perp (or the automated process) change the victim's
account password so that he/it has exclusive and continuous use of the
account?

3) and here's the 64 thousand dollar question -> is it known if these
accounts are comprimized through a password-cracking process, or was the
password knowable because the victim's personal computer (the computer
typically used to access the web-mail account) was hacked (trojanized,
keylogged, etc)?

What are the odds that my friend's computer (2-year-old win-7 machine of
some sort) is infected with something, and that "something" is how the
hackers learned of the hotmail password?

Re: Question about hacking web-mail (hotmail) accounts


Quoted text here. Click to load it


That's not the full Hotmail header.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: Question about hacking web-mail (hotmail) accounts

"David H. Lipman" wrote:
 
Quoted text here. Click to load it

I said it was the full message body.  There was no need to reproduce the
header (because it has no bearing on the context of my questions).

Re: Question about hacking web-mail (hotmail) accounts


Quoted text here. Click to load it

Except the source.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Question about hacking web-mail (hotmail) accounts

"David H. Lipman" wrote:

Quoted text here. Click to load it

I'm not following you.

The password for a hotmail account has become known to a third party
(call him a hacker, cracker, criminal, what-ever you want).

E-mails were sent through hotmail using the account's credentials.
Copies of those e-mails are present in the sent folder of the account.

I am most curious as to how the account password became comprimized.

How is you seeing the full header going to speak to that question?

Re: Question about hacking web-mail (hotmail) accounts


Quoted text here. Click to load it

http://it.slashdot.org/story/12/04/27/1311255/microsoft-patches-major-hotmail-0-day-flaw-after-widespread-exploitation

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Question about hacking web-mail (hotmail) accounts


Quoted text here. Click to load it
http://it.slashdot.org/story/12/04/27/1311255/microsoft-patches-major-hotmail-0-day-flaw-after-widespread-exploitation
Quoted text here. Click to load it

That explians why the flood of Job Fraud emails via compromised HotMail
accounts I have received stopped around that time frame.

Thanx Dave

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Question about hacking web-mail (hotmail) accounts


Quoted text here. Click to load it

Damn - Just got another one :-(



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Question about hacking web-mail (hotmail) accounts

"David W. Hodgins" wrote:

Quoted text here. Click to load it
http://it.slashdot.org/story/12/04/27/1311255/microsoft-patches-major-hotmail-0-day-flaw-after-widespread-exploitation

That's a password-reset vulnerability. In this case there was no
password change so, unless there's another Hotmail bug, I believe
it's more likely that social engineering or malware was involved.



Re: Question about hacking web-mail (hotmail) accounts


Quoted text here. Click to load it

Do you believe that article? It looks like it's planted by Microsoft
denigrators.

--
Bear
http://bearware.info

Re: Question about hacking web-mail (hotmail) accounts

Virus Guy wrote:
Quoted text here. Click to load it

That might not be exactly true. I don't know the full details of how
hotmail works it, but in some cases where a password is used *only* the
client knows that password.

[...]

Re: Question about hacking web-mail (hotmail) accounts

"Virus Guy" wrote:

Quoted text here. Click to load it
href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-numeric-here------_ViewMsg"

Quoted text here. Click to load it


Can't tell without the alphanumerics, which is/are likely to be
affiliate code/s of some kind. Substituting random letters & numbers
gets a 404.

Going to cw9.me by itself gets a line of script:

 top.location.href ='track_main.php?u=404';

following that (with or without "?u=404") gets two one-line scripts:

 src="http://j.maxmind.com/app/geoip.js"
 top.location.href = 'track_main.php?cty=' + geoip_country_name();

So, translating that for where I am gets:

 cw9.me/track_main.php?cty=United%20Kingdom

That gets a page with a javascript alert and meta-refresh:

 "To continue, fill the form and click Sign Up button"
 location.href="h**p://tnktrck.com/?a=5326&c=6054&s1=";

That redirects (302) to the same URL but using https (SSL) and that
redirects to:

 www .tracklead.net/click.track?CID=206574&AFID=136366&ADID=741355&SID=5326

which redirects to:

 www .ziinga.com/partners/pair/uk/ewa-cpl-uk/ewa-cpl-uk?subId=136366

which redirects to:

 www .ziinga.com/landing/uk_big_savings.php/?subId=136366

Seems to be some sort of auction scam for which you have to sign up
and pay a subscription.

Quoted text here. Click to load it

The answer to your first two about why tracks are not covered is that
"spammers are stupid" - see "the rules of spam".

As to how they get login details, it's either social engineering or
malware - both very common.



Re: Question about hacking web-mail (hotmail) accounts

Ant wrote:
 
Quoted text here. Click to load it

Ok, so after disabling my hosts file, I played around with the original
url by substituting a fake e-mail address. So for example, a wget
performed on this:

hxxp://xxxxxxxxxxxxxx.cw9.me/dd_fuck@off.com/xxxxxxxxxxxxxxxxxxxxxn_ViewMsg

Results in this:

<script language="JavaScript" src="hxxp://j.maxmind.com/app/geoip.js">
</script>
<script> top.location.href = '/redir_main.php?to=fuck@off.com&cty=' +
 geoip_country_name();
</script>

Clearly, they first want to get some geographic information about you
and then include that in the URL they redirect you to for the subsequent
redirections.

When run in a browser, I don't see the hit to maxmind.com, but instead I
see this:

hxxp://ww104.dbyli.com/track_main.php?id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&id=4

or sometimes here:

hxxp://internettestbank.com/d/alphanum%2F%2Fww66.dbyli.com%2Ftrack_main.php%3Fid%3Dalphanum%26id%3D4

Then here:

hxxp://ww140.dbyli.com/video_alphanun

Which interestingly was a fake Microsoft Live login screen - but only
the first time I hit it.  All other attempts get redirected through
here:

http://ww104.dbyli.com/track_main.php?id=alphanum&id=4

And then land on page like these:

hxxp://www. rewardscentre.net/?session_id=12345678
hxxp://www. electronicssavingsoutlet.net/?session_id=12345678
hxxp://www. edealsandbargains.net/?session_id=12345678

If you try this first, I think you'll find it will work without having
the actual alpha-numeric code:

hxxp://12345678.cw9.me/dd_fuck@off.com/12345678_ViewMsg

(or insert any fake e-mail address you want)

Quoted text here. Click to load it

Well, what-ever these things are, they don't seem to push any exploits
at you.

Quoted text here. Click to load it

By social engineering - you mean my friend might have encountered a fake
hotmail login screen at some point in the past?

Re: Question about hacking web-mail (hotmail) accounts

"Virus Guy" wrote:

Quoted text here. Click to load it

Yes, that worked. I used example.com and got:

 src="http://j.maxmind.com/app/geoip.js"
 top.location.href = '/redir_main.php?to=some@example.com&cty=' +
geoip_country_name();

Redirected to:

 ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==

The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64 encoded.
Like you, I got a fake Login Live page. Although in English, some of
the internal html text was Portugese or Spanish (I can't tell the
difference), e.g:

 meta content="El nuevo Hotmail ya está aquí. Es un sistema...

Quoted text here. Click to load it

Exactly; just like the page we're seeing here! Pretty much all the
content is from live.com but when you press "sign in" the thief gets
your account details. It's also tied to your email address by the b64
encoded string.



Re: Question about hacking web-mail (hotmail) accounts


Quoted text here. Click to load it

I bit on something like that a couple of days ago, but it had something to
do with a facebook page. Then a Facebook login page popped up and Firefox
automatically filled in my login credentials. I clicked "Login" and the
screen went away. But FaceBook never showed up.
The more I thought about it, the fishier it looked.
So I immediately logged into Facebook and changed my password.
As much as I preach to my customers about being careful what you click on,
I couldn't believe that I did it myself!

--
  --- My mother never saw the irony in calling me a son-of-a-bitch ---

Re: Question about hacking web-mail (hotmail) accounts

"Li'l Abner" wrote:

Quoted text here. Click to load it

Yep, it's fairly easy to fall for these tricks if you're not paying
attention.

As always it's a balance between ease of use and security. Don't allow
browsers to store passwords; don't click on things you haven't
deliberately launched; don't use webmail like Hotmail, Yahoo or Gmail,
instead use a proper SMTP mail service like one your ISP may provide.

You think the general public will do this? No chance! They've no idea
that you don't need a browser to do email or that there's more to the
internet than "twitbook".



Re: Question about hacking web-mail (hotmail) accounts

On Wed, 02 May 2012 14:35:47 -0500, Li'l Abner wrote:

Quoted text here. Click to load it



What's Facebook?

LOL.

--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

Re: Question about hacking web-mail (hotmail) accounts

email.me:

Quoted text here. Click to load it
having
encoded.
something
"Login"
Quoted text here. Click to load it
 
Yeah, I know. I spend very little time on it. I only have 3 friends.
On FaceBook, that is... :-)


--
  --- My mother never saw the irony in calling me a son-of-a-bitch ---

Re: Question about hacking web-mail (hotmail) accounts

Li'l Abner wrote:
Quoted text here. Click to load it
That's pitiful - or so I've heard.

Before I deactivated my Facebook account I logged on one day to find two
pages of Korean girls wanting to be my friend. I'm a friendly guy, but
not *that* friendly.


Site Timeline