Question about hacking web-mail (hotmail) accounts

[Li'l Abner]

"Ant" <not@home.today> wrote in
news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:

> "Virus Guy" wrote:
>
>> If you try this first, I think you'll find it will work without
>> having the actual alpha-numeric code:
>>
>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>
> Yes, that worked. I used example.com and got:
>
> src="http://j.maxmind.com/app/geoip.js"
> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
> geoip_country_name();
>
> Redirected to:
>
> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>
> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64
> encoded. Like you, I got a fake Login Live page. Although in English,
> some of the internal html text was Portugese or Spanish (I can't tell
> the difference), e.g:
>
> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>
>> By social engineering - you mean my friend might have encountered a
>> fake hotmail login screen at some point in the past?
>
> Exactly; just like the page we're seeing here! Pretty much all the
> content is from live.com but when you press "sign in" the thief gets
> your account details. It's also tied to your email address by the b64
> encoded string.

I bit on something like that a couple of days ago, but it had something to
do with a facebook page. Then a Facebook login page popped up and Firefox
automatically filled in my login credentials. I clicked "Login" and the
screen went away. But FaceBook never showed up.
The more I thought about it, the fishier it looked.
So I immediately logged into Facebook and changed my password.
As much as I preach to my customers about being careful what you click on,
I couldn't believe that I did it myself!

--
--- My mother never saw the irony in calling me a son-of-a-***** ---

[FromTheRafters]

Virus Guy wrote:
> "David H. Lipman" wrote:
>
>>>> That's not the full Hotmail header.
>>>
>>> I said it was the full message body. There was no need to
>>> reproduce the header (because it has no bearing on the
>>> context of my questions).
>>
>> Except the source.
>
> I'm not following you.
>
> The password for a hotmail account has become known to a third party
> (call him a hacker, cracker, criminal, what-ever you want).

That might not be exactly true. I don't know the full details of how
hotmail works it, but in some cases where a password is used *only* the
client knows that password.

[...]

[Ant]

"David W. Hodgins" wrote:

> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy wrote:
>> I am most curious as to how the account password became comprimized.
>
> http://it.slashdot.org/story/12/04/2...d-exploitation

That's a password-reset vulnerability. In this case there was no
password change so, unless there's another Hotmail bug, I believe
it's more likely that social engineering or malware was involved.

[Ant]

"Li'l Abner" wrote:

> I bit on something like that a couple of days ago, but it had something to
> do with a facebook page. Then a Facebook login page popped up and Firefox
> automatically filled in my login credentials. I clicked "Login" and the
> screen went away. But FaceBook never showed up.
> The more I thought about it, the fishier it looked.
> So I immediately logged into Facebook and changed my password.
> As much as I preach to my customers about being careful what you click on,
> I couldn't believe that I did it myself!

Yep, it's fairly easy to fall for these tricks if you're not paying
attention.

As always it's a balance between ease of use and security. Don't allow
browsers to store passwords; don't click on things you haven't
deliberately launched; don't use webmail like Hotmail, Yahoo or Gmail,
instead use a proper SMTP mail service like one your ISP may provide.

You think the general public will do this? No chance! They've no idea
that you don't need a browser to do email or that there's more to the
internet than "twitbook".

[David H. Lipman]

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

> From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>
>
>> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Virus@guy.com> wrote:
>>
>>> I am most curious as to how the account password became comprimized.
>>
>> http://it.slashdot.org/story/12/04/2...d-exploitation
>>
> That explians why the flood of Job Fraud emails via compromised HotMail
> accounts I have received stopped around that time frame.
>

Damn - Just got another one :-(



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Aardvark]

On Wed, 02 May 2012 14:35:47 -0500, Li'l Abner wrote:

> "Ant" <not@home.today> wrote in
> news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:
>
>> "Virus Guy" wrote:
>>
>>> If you try this first, I think you'll find it will work without having
>>> the actual alpha-numeric code:
>>>
>>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>>
>> Yes, that worked. I used example.com and got:
>>
>> src="http://j.maxmind.com/app/geoip.js"
>> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
>> geoip_country_name();
>>
>> Redirected to:
>>
>> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>>
>> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64 encoded.
>> Like you, I got a fake Login Live page. Although in English,
>> some of the internal html text was Portugese or Spanish (I can't tell
>> the difference), e.g:
>>
>> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>>
>>> By social engineering - you mean my friend might have encountered a
>>> fake hotmail login screen at some point in the past?
>>
>> Exactly; just like the page we're seeing here! Pretty much all the
>> content is from live.com but when you press "sign in" the thief gets
>> your account details. It's also tied to your email address by the b64
>> encoded string.
>
> I bit on something like that a couple of days ago, but it had something
> to do with a facebook page. Then a Facebook login page popped up and
> Firefox automatically filled in my login credentials. I clicked "Login"
> and the screen went away. But FaceBook never showed up.
> The more I thought about it, the fishier it looked.
> So I immediately logged into Facebook and changed my password.
> As much as I preach to my customers about being careful what you click
> on,
> I couldn't believe that I did it myself!



What's Facebook?

LOL.

--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

[Li'l Abner]

Aardvark <aardvark@aardvark.uk.tc> wrote in news:jnseal$ckb$1@dont-
email.me:

> On Wed, 02 May 2012 14:35:47 -0500, Li'l Abner wrote:
>
>> "Ant" <not@home.today> wrote in
>> news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:
>>
>>> "Virus Guy" wrote:
>>>
>>>> If you try this first, I think you'll find it will work without
having
>>>> the actual alpha-numeric code:
>>>>
>>>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>>>
>>> Yes, that worked. I used example.com and got:
>>>
>>> src="http://j.maxmind.com/app/geoip.js"
>>> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
>>> geoip_country_name();
>>>
>>> Redirected to:
>>>
>>> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>>>
>>> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64
encoded.
>>> Like you, I got a fake Login Live page. Although in English,
>>> some of the internal html text was Portugese or Spanish (I can't tell
>>> the difference), e.g:
>>>
>>> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>>>
>>>> By social engineering - you mean my friend might have encountered a
>>>> fake hotmail login screen at some point in the past?
>>>
>>> Exactly; just like the page we're seeing here! Pretty much all the
>>> content is from live.com but when you press "sign in" the thief gets
>>> your account details. It's also tied to your email address by the b64
>>> encoded string.
>>
>> I bit on something like that a couple of days ago, but it had
something
>> to do with a facebook page. Then a Facebook login page popped up and
>> Firefox automatically filled in my login credentials. I clicked
"Login"
>> and the screen went away. But FaceBook never showed up.
>> The more I thought about it, the fishier it looked.
>> So I immediately logged into Facebook and changed my password.
>> As much as I preach to my customers about being careful what you click
>> on,
>> I couldn't believe that I did it myself!
>
>
>
> What's Facebook?
>
> LOL.

Yeah, I know. I spend very little time on it. I only have 3 friends.
On FaceBook, that is... :-)


--
--- My mother never saw the irony in calling me a son-of-a-***** ---

[FromTheRafters]

Li'l Abner wrote:
> Aardvark<aardvark@aardvark.uk.tc> wrote in news:jnseal$ckb$1@dont-
> email.me:
>
>> On Wed, 02 May 2012 14:35:47 -0500, Li'l Abner wrote:
>>
>>> "Ant"<not@home.today> wrote in
>>> news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:
>>>
>>>> "Virus Guy" wrote:
>>>>
>>>>> If you try this first, I think you'll find it will work without
> having
>>>>> the actual alpha-numeric code:
>>>>>
>>>>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>>>>
>>>> Yes, that worked. I used example.com and got:
>>>>
>>>> src="http://j.maxmind.com/app/geoip.js"
>>>> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
>>>> geoip_country_name();
>>>>
>>>> Redirected to:
>>>>
>>>> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>>>>
>>>> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64
> encoded.
>>>> Like you, I got a fake Login Live page. Although in English,
>>>> some of the internal html text was Portugese or Spanish (I can't tell
>>>> the difference), e.g:
>>>>
>>>> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>>>>
>>>>> By social engineering - you mean my friend might have encountered a
>>>>> fake hotmail login screen at some point in the past?
>>>>
>>>> Exactly; just like the page we're seeing here! Pretty much all the
>>>> content is from live.com but when you press "sign in" the thief gets
>>>> your account details. It's also tied to your email address by the b64
>>>> encoded string.
>>>
>>> I bit on something like that a couple of days ago, but it had
> something
>>> to do with a facebook page. Then a Facebook login page popped up and
>>> Firefox automatically filled in my login credentials. I clicked
> "Login"
>>> and the screen went away. But FaceBook never showed up.
>>> The more I thought about it, the fishier it looked.
>>> So I immediately logged into Facebook and changed my password.
>>> As much as I preach to my customers about being careful what you click
>>> on,
>>> I couldn't believe that I did it myself!
>>
>>
>>
>> What's Facebook?
>>
>> LOL.
>
> Yeah, I know. I spend very little time on it. I only have 3 friends.
> On FaceBook, that is... :-)
>
That's pitiful - or so I've heard.

Before I deactivated my Facebook account I logged on one day to find two
pages of Korean girls wanting to be my friend. I'm a friendly guy, but
not *that* friendly.