Question about hacking web-mail (hotmail) accounts

[Virus Guy]

Today I got a strange e-mail from a friend that I seldom have had e-mail
contact with.

He has a hotmail account, and header analysis shows that the e-mail did
indeed originate from hotmail.

The subject was simply "video.."

I've reproduced the message body as it appears in raw source format:

--------------5200e5eee77f48869a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a alt="{alpha-numeric-here}
{alpha-numeric-here}
{alpha-numeric-here}"
id="{alpha-numeric-here}
{alpha-numeric-here}"
href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>

--------------5200e5eee77f48869a
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a alt="{alpha-numeric-here}
{alpha-numeric-here}
{alpha-numeric-here}"
id="{alpha-numeric-here}
{alpha-numeric-here}"
href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>
--------------5200e5eee77f48869a

Everywhere you see "alpha-numeric-here" is where there was a string of
seemingly random alpha-numeric characters. These strings were not
identical.

When viewed normally, there is only 1 line of text that says "Click here
to read this message". That line is hyper-linked to a URL at the domain
cw9.me. That domain appears to have been registered yesterday.

I'd like to hear your ideas as to what the link is supposed to do. It
appears to be a track-back link of some sort (enabling the server to log
valid e-mail addresses). It also seems to spawn a request to
maxmind.com (a domain that was blocked by my hosts file). A simple http
request to cw9.com spawns this re-direction:

http://j.maxmind.com/app/geoip.js

If you try it, and look at geoip.js, you'll see a brief IP-geolocation
report your IP address.

If you try cw9.com in a browser without any web-blocking, it looks like
you get hit with a bunch of advertizing.

So if anyone wants to follow up on what is being attempted by this URL,
please post back your analysis.

I had my friend with the comprimized hotmail account login into his
account and check his sent folder. Sure enough, there were lots of
examples of this e-mail being sent to all of his contacts. In my case,
based on looking at the e-mail headers, the perp seems to have logged in
from (or through) an IP address in Argentina.

So, if anyone here knows anything about the operational details of how a
web-mail account gets hacked and used, here are my questions:

1) why doesn't the perp (or the automated process behind these
activities) delete the spams it sends from the victim's sent-mail
folder?

2) why doesn't the perp (or the automated process) change the victim's
account password so that he/it has exclusive and continuous use of the
account?

3) and here's the 64 thousand dollar question -> is it known if these
accounts are comprimized through a password-cracking process, or was the
password knowable because the victim's personal computer (the computer
typically used to access the web-mail account) was hacked (trojanized,
keylogged, etc)?

What are the odds that my friend's computer (2-year-old win-7 machine of
some sort) is infected with something, and that "something" is how the
hackers learned of the hotmail password?

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> Today I got a strange e-mail from a friend that I seldom have had e-mail
> contact with.
>
> He has a hotmail account, and header analysis shows that the e-mail did
> indeed originate from hotmail.
>
> The subject was simply "video.."
>
> I've reproduced the message body as it appears in raw source format:
>
> --------------5200e5eee77f48869a
> Content-Type: text/plain; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
>
> <b><span style="font-size: 20pt;">
> <a alt="{alpha-numeric-here}
> {alpha-numeric-here}
> {alpha-numeric-here}"
> id="{alpha-numeric-here}
> {alpha-numeric-here}"
> href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
> numeric-here------_ViewMsg" >
> Click here to read this message</a>
>
> --------------5200e5eee77f48869a
> Content-Type: text/html; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
>
> <b><span style="font-size: 20pt;">
> <a alt="{alpha-numeric-here}
> {alpha-numeric-here}
> {alpha-numeric-here}"
> id="{alpha-numeric-here}
> {alpha-numeric-here}"
> href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
> numeric-here------_ViewMsg" >
> Click here to read this message</a>
> --------------5200e5eee77f48869a
>
> Everywhere you see "alpha-numeric-here" is where there was a string of
> seemingly random alpha-numeric characters. These strings were not
> identical.
>
> When viewed normally, there is only 1 line of text that says "Click here
> to read this message". That line is hyper-linked to a URL at the domain
> cw9.me. That domain appears to have been registered yesterday.
>
> I'd like to hear your ideas as to what the link is supposed to do. It
> appears to be a track-back link of some sort (enabling the server to log
> valid e-mail addresses). It also seems to spawn a request to
> maxmind.com (a domain that was blocked by my hosts file). A simple http
> request to cw9.com spawns this re-direction:
>
> http://j.maxmind.com/app/geoip.js
>
> If you try it, and look at geoip.js, you'll see a brief IP-geolocation
> report your IP address.
>
> If you try cw9.com in a browser without any web-blocking, it looks like
> you get hit with a bunch of advertizing.
>
> So if anyone wants to follow up on what is being attempted by this URL,
> please post back your analysis.
>
> I had my friend with the comprimized hotmail account login into his
> account and check his sent folder. Sure enough, there were lots of
> examples of this e-mail being sent to all of his contacts. In my case,
> based on looking at the e-mail headers, the perp seems to have logged in
> from (or through) an IP address in Argentina.
>
> So, if anyone here knows anything about the operational details of how a
> web-mail account gets hacked and used, here are my questions:
>
> 1) why doesn't the perp (or the automated process behind these
> activities) delete the spams it sends from the victim's sent-mail
> folder?
>
> 2) why doesn't the perp (or the automated process) change the victim's
> account password so that he/it has exclusive and continuous use of the
> account?
>
> 3) and here's the 64 thousand dollar question -> is it known if these
> accounts are comprimized through a password-cracking process, or was the
> password knowable because the victim's personal computer (the computer
> typically used to access the web-mail account) was hacked (trojanized,
> keylogged, etc)?
>
> What are the odds that my friend's computer (2-year-old win-7 machine of
> some sort) is infected with something, and that "something" is how the
> hackers learned of the hotmail password?


That's not the full Hotmail header.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

"David H. Lipman" wrote:

> That's not the full Hotmail header.

I said it was the full message body. There was no need to reproduce the
header (because it has no bearing on the context of my questions).

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> "David H. Lipman" wrote:
>
>> That's not the full Hotmail header.
>
> I said it was the full message body. There was no need to reproduce the
> header (because it has no bearing on the context of my questions).

Except the source.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

"David H. Lipman" wrote:

> >> That's not the full Hotmail header.
> >
> > I said it was the full message body. There was no need to
> > reproduce the header (because it has no bearing on the
> > context of my questions).
>
> Except the source.

I'm not following you.

The password for a hotmail account has become known to a third party
(call him a hacker, cracker, criminal, what-ever you want).

E-mails were sent through hotmail using the account's credentials.
Copies of those e-mails are present in the sent folder of the account.

I am most curious as to how the account password became comprimized.

How is you seeing the full header going to speak to that question?

[David W. Hodgins]

On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Virus@guy.com> wrote:

> I am most curious as to how the account password became comprimized.

http://it.slashdot.org/story/12/04/2...d-exploitation

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[FromTheRafters]

Virus Guy wrote:
> "David H. Lipman" wrote:
>
>>>> That's not the full Hotmail header.
>>>
>>> I said it was the full message body. There was no need to
>>> reproduce the header (because it has no bearing on the
>>> context of my questions).
>>
>> Except the source.
>
> I'm not following you.
>
> The password for a hotmail account has become known to a third party
> (call him a hacker, cracker, criminal, what-ever you want).

That might not be exactly true. I don't know the full details of how
hotmail works it, but in some cases where a password is used *only* the
client knows that password.

[...]

[Ant]

"Virus Guy" wrote:

> href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-numeric-here------_ViewMsg"

> Everywhere you see "alpha-numeric-here" is where there was a string of
> seemingly random alpha-numeric characters. These strings were not
> identical.

> I'd like to hear your ideas as to what the link is supposed to do.

Can't tell without the alphanumerics, which is/are likely to be
affiliate code/s of some kind. Substituting random letters & numbers
gets a 404.

Going to cw9.me by itself gets a line of script:

top.location.href ='track_main.php?u=404';

following that (with or without "?u=404") gets two one-line scripts:

src="http://j.maxmind.com/app/geoip.js"
top.location.href = 'track_main.php?cty=' + geoip_country_name();

So, translating that for where I am gets:

cw9.me/track_main.php?cty=United%20Kingdom

That gets a page with a javascript alert and meta-refresh:

"To continue, fill the form and click Sign Up button"
location.href="h**p://tnktrck.com/?a=5326&c=6054&s1=";

That redirects (302) to the same URL but using https (SSL) and that
redirects to:

www .tracklead.net/click.track?CID=206574&AFID=136366&ADID=741355&SID =5326

which redirects to:

www .ziinga.com/partners/pair/uk/ewa-cpl-uk/ewa-cpl-uk?subId=136366

which redirects to:

www .ziinga.com/landing/uk_big_savings.php/?subId=136366

Seems to be some sort of auction scam for which you have to sign up
and pay a subscription.

> So, if anyone here knows anything about the operational details of how a
> web-mail account gets hacked and used, here are my questions:

The answer to your first two about why tracks are not covered is that
"spammers are stupid" - see "the rules of spam".

As to how they get login details, it's either social engineering or
malware - both very common.

[Virus Guy]

Ant wrote:

> Can't tell without the alphanumerics, which is/are likely to be
> affiliate code/s of some kind. Substituting random letters & numbers
> gets a 404.

Ok, so after disabling my hosts file, I played around with the original
url by substituting a fake e-mail address. So for example, a wget
performed on this:

hxxp://xxxxxxxxxxxxxx.cw9.me/dd_****@off.com/xxxxxxxxxxxxxxxxxxxxxn_ViewMsg

Results in this:

<script language="JavaScript" src="hxxp://j.maxmind.com/app/geoip.js">
</script>
<script> top.location.href = '/redir_main.php?to=****@off.com&cty=' +
geoip_country_name();
</script>

Clearly, they first want to get some geographic information about you
and then include that in the URL they redirect you to for the subsequent
redirections.

When run in a browser, I don't see the hit to maxmind.com, but instead I
see this:

hxxp://ww104.dbyli.com/track_main.php?id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx &id=4

or sometimes here:

hxxp://internettestbank.com/d/alphanum%2F%2Fww66.dbyli.com%2Ftrack_main.php%3Fid %3Dalphanum%26id%3D4

Then here:

hxxp://ww140.dbyli.com/video_alphanun

Which interestingly was a fake Microsoft Live login screen - but only
the first time I hit it. All other attempts get redirected through
here:

http://ww104.dbyli.com/track_main.php?id=alphanum&id=4

And then land on page like these:

hxxp://www. rewardscentre.net/?session_id=12345678
hxxp://www. electronicssavingsoutlet.net/?session_id=12345678
hxxp://www. edealsandbargains.net/?session_id=12345678

If you try this first, I think you'll find it will work without having
the actual alpha-numeric code:

hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg

(or insert any fake e-mail address you want)

> Seems to be some sort of auction scam for which you have to sign
> up and pay a subscription.

Well, what-ever these things are, they don't seem to push any exploits
at you.

> As to how they get login details, it's either social engineering
> or malware - both very common.

By social engineering - you mean my friend might have encountered a fake
hotmail login screen at some point in the past?

[Ant]

"Virus Guy" wrote:

> If you try this first, I think you'll find it will work without having
> the actual alpha-numeric code:
>
> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg

Yes, that worked. I used example.com and got:

src="http://j.maxmind.com/app/geoip.js"
top.location.href = '/redir_main.php?to=some@example.com&cty=' + geoip_country_name();

Redirected to:

ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==

The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64 encoded.
Like you, I got a fake Login Live page. Although in English, some of
the internal html text was Portugese or Spanish (I can't tell the
difference), e.g:

meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...

> By social engineering - you mean my friend might have encountered a fake
> hotmail login screen at some point in the past?

Exactly; just like the page we're seeing here! Pretty much all the
content is from live.com but when you press "sign in" the thief gets
your account details. It's also tied to your email address by the b64
encoded string.