"Virus Guy" wrote:

> If you try this first, I think you'll find it will work without having
> the actual alpha-numeric code:
>
> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg

Yes, that worked. I used example.com and got:

src="http://j.maxmind.com/app/geoip.js"
top.location.href = '/redir_main.php?to=some@example.com&cty=' + geoip_country_name();

Redirected to:

ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==

The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64 encoded.
Like you, I got a fake Login Live page. Although in English, some of
the internal html text was Portugese or Spanish (I can't tell the
difference), e.g:

meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...

> By social engineering - you mean my friend might have encountered a fake
> hotmail login screen at some point in the past?

Exactly; just like the page we're seeing here! Pretty much all the
content is from live.com but when you press "sign in" the thief gets
your account details. It's also tied to your email address by the b64
encoded string.