Question about hacking web-mail (hotmail) accounts

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> Today I got a strange e-mail from a friend that I seldom have had e-mail
> contact with.
>
> He has a hotmail account, and header analysis shows that the e-mail did
> indeed originate from hotmail.
>
> The subject was simply "video.."
>
> I've reproduced the message body as it appears in raw source format:
>
> --------------5200e5eee77f48869a
> Content-Type: text/plain; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
>
> <b><span style="font-size: 20pt;">
> <a alt="{alpha-numeric-here}
> {alpha-numeric-here}
> {alpha-numeric-here}"
> id="{alpha-numeric-here}
> {alpha-numeric-here}"
> href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
> numeric-here------_ViewMsg" >
> Click here to read this message</a>
>
> --------------5200e5eee77f48869a
> Content-Type: text/html; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
>
> <b><span style="font-size: 20pt;">
> <a alt="{alpha-numeric-here}
> {alpha-numeric-here}
> {alpha-numeric-here}"
> id="{alpha-numeric-here}
> {alpha-numeric-here}"
> href="alpha-numeric.cw9.me/dd_name@my-domain.tld/alpha-
> numeric-here------_ViewMsg" >
> Click here to read this message</a>
> --------------5200e5eee77f48869a
>
> Everywhere you see "alpha-numeric-here" is where there was a string of
> seemingly random alpha-numeric characters. These strings were not
> identical.
>
> When viewed normally, there is only 1 line of text that says "Click here
> to read this message". That line is hyper-linked to a URL at the domain
> cw9.me. That domain appears to have been registered yesterday.
>
> I'd like to hear your ideas as to what the link is supposed to do. It
> appears to be a track-back link of some sort (enabling the server to log
> valid e-mail addresses). It also seems to spawn a request to
> maxmind.com (a domain that was blocked by my hosts file). A simple http
> request to cw9.com spawns this re-direction:
>
> http://j.maxmind.com/app/geoip.js
>
> If you try it, and look at geoip.js, you'll see a brief IP-geolocation
> report your IP address.
>
> If you try cw9.com in a browser without any web-blocking, it looks like
> you get hit with a bunch of advertizing.
>
> So if anyone wants to follow up on what is being attempted by this URL,
> please post back your analysis.
>
> I had my friend with the comprimized hotmail account login into his
> account and check his sent folder. Sure enough, there were lots of
> examples of this e-mail being sent to all of his contacts. In my case,
> based on looking at the e-mail headers, the perp seems to have logged in
> from (or through) an IP address in Argentina.
>
> So, if anyone here knows anything about the operational details of how a
> web-mail account gets hacked and used, here are my questions:
>
> 1) why doesn't the perp (or the automated process behind these
> activities) delete the spams it sends from the victim's sent-mail
> folder?
>
> 2) why doesn't the perp (or the automated process) change the victim's
> account password so that he/it has exclusive and continuous use of the
> account?
>
> 3) and here's the 64 thousand dollar question -> is it known if these
> accounts are comprimized through a password-cracking process, or was the
> password knowable because the victim's personal computer (the computer
> typically used to access the web-mail account) was hacked (trojanized,
> keylogged, etc)?
>
> What are the odds that my friend's computer (2-year-old win-7 machine of
> some sort) is infected with something, and that "something" is how the
> hackers learned of the hotmail password?


That's not the full Hotmail header.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

"David H. Lipman" wrote:

> That's not the full Hotmail header.

I said it was the full message body. There was no need to reproduce the
header (because it has no bearing on the context of my questions).

[David H. Lipman]

From: "Virus Guy" <Virus@Guy.com>

> "David H. Lipman" wrote:
>
>> That's not the full Hotmail header.
>
> I said it was the full message body. There was no need to reproduce the
> header (because it has no bearing on the context of my questions).

Except the source.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

"David H. Lipman" wrote:

> >> That's not the full Hotmail header.
> >
> > I said it was the full message body. There was no need to
> > reproduce the header (because it has no bearing on the
> > context of my questions).
>
> Except the source.

I'm not following you.

The password for a hotmail account has become known to a third party
(call him a hacker, cracker, criminal, what-ever you want).

E-mails were sent through hotmail using the account's credentials.
Copies of those e-mails are present in the sent folder of the account.

I am most curious as to how the account password became comprimized.

How is you seeing the full header going to speak to that question?

[David W. Hodgins]

On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Virus@guy.com> wrote:

> I am most curious as to how the account password became comprimized.

http://it.slashdot.org/story/12/04/2...d-exploitation

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[David H. Lipman]

From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>

> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Virus@guy.com> wrote:
>
>> I am most curious as to how the account password became comprimized.
>
> http://it.slashdot.org/story/12/04/2...d-exploitation
>

That explians why the flood of Job Fraud emails via compromised HotMail
accounts I have received stopped around that time frame.

Thanx Dave

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[David H. Lipman]

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

> From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>
>
>> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Virus@guy.com> wrote:
>>
>>> I am most curious as to how the account password became comprimized.
>>
>> http://it.slashdot.org/story/12/04/2...d-exploitation
>>
> That explians why the flood of Job Fraud emails via compromised HotMail
> accounts I have received stopped around that time frame.
>

Damn - Just got another one :-(



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Ant]

"David W. Hodgins" wrote:

> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy wrote:
>> I am most curious as to how the account password became comprimized.
>
> http://it.slashdot.org/story/12/04/2...d-exploitation

That's a password-reset vulnerability. In this case there was no
password change so, unless there's another Hotmail bug, I believe
it's more likely that social engineering or malware was involved.

[FromTheRafters]

Virus Guy wrote:
> "David H. Lipman" wrote:
>
>>>> That's not the full Hotmail header.
>>>
>>> I said it was the full message body. There was no need to
>>> reproduce the header (because it has no bearing on the
>>> context of my questions).
>>
>> Except the source.
>
> I'm not following you.
>
> The password for a hotmail account has become known to a third party
> (call him a hacker, cracker, criminal, what-ever you want).

That might not be exactly true. I don't know the full details of how
hotmail works it, but in some cases where a password is used *only* the
client knows that password.

[...]