Question about hacking web-mail (hotmail) accounts

[Ant]

"Virus Guy" wrote:

> If you try this first, I think you'll find it will work without having
> the actual alpha-numeric code:
>
> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg

Yes, that worked. I used example.com and got:

src="http://j.maxmind.com/app/geoip.js"
top.location.href = '/redir_main.php?to=some@example.com&cty=' + geoip_country_name();

Redirected to:

ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==

The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64 encoded.
Like you, I got a fake Login Live page. Although in English, some of
the internal html text was Portugese or Spanish (I can't tell the
difference), e.g:

meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...

> By social engineering - you mean my friend might have encountered a fake
> hotmail login screen at some point in the past?

Exactly; just like the page we're seeing here! Pretty much all the
content is from live.com but when you press "sign in" the thief gets
your account details. It's also tied to your email address by the b64
encoded string.

[Li'l Abner]

"Ant" <not@home.today> wrote in
news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:

> "Virus Guy" wrote:
>
>> If you try this first, I think you'll find it will work without
>> having the actual alpha-numeric code:
>>
>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>
> Yes, that worked. I used example.com and got:
>
> src="http://j.maxmind.com/app/geoip.js"
> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
> geoip_country_name();
>
> Redirected to:
>
> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>
> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64
> encoded. Like you, I got a fake Login Live page. Although in English,
> some of the internal html text was Portugese or Spanish (I can't tell
> the difference), e.g:
>
> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>
>> By social engineering - you mean my friend might have encountered a
>> fake hotmail login screen at some point in the past?
>
> Exactly; just like the page we're seeing here! Pretty much all the
> content is from live.com but when you press "sign in" the thief gets
> your account details. It's also tied to your email address by the b64
> encoded string.

I bit on something like that a couple of days ago, but it had something to
do with a facebook page. Then a Facebook login page popped up and Firefox
automatically filled in my login credentials. I clicked "Login" and the
screen went away. But FaceBook never showed up.
The more I thought about it, the fishier it looked.
So I immediately logged into Facebook and changed my password.
As much as I preach to my customers about being careful what you click on,
I couldn't believe that I did it myself!

--
--- My mother never saw the irony in calling me a son-of-a-***** ---

[Ant]

"Li'l Abner" wrote:

> I bit on something like that a couple of days ago, but it had something to
> do with a facebook page. Then a Facebook login page popped up and Firefox
> automatically filled in my login credentials. I clicked "Login" and the
> screen went away. But FaceBook never showed up.
> The more I thought about it, the fishier it looked.
> So I immediately logged into Facebook and changed my password.
> As much as I preach to my customers about being careful what you click on,
> I couldn't believe that I did it myself!

Yep, it's fairly easy to fall for these tricks if you're not paying
attention.

As always it's a balance between ease of use and security. Don't allow
browsers to store passwords; don't click on things you haven't
deliberately launched; don't use webmail like Hotmail, Yahoo or Gmail,
instead use a proper SMTP mail service like one your ISP may provide.

You think the general public will do this? No chance! They've no idea
that you don't need a browser to do email or that there's more to the
internet than "twitbook".

[Aardvark]

On Wed, 02 May 2012 14:35:47 -0500, Li'l Abner wrote:

> "Ant" <not@home.today> wrote in
> news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:
>
>> "Virus Guy" wrote:
>>
>>> If you try this first, I think you'll find it will work without having
>>> the actual alpha-numeric code:
>>>
>>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>>
>> Yes, that worked. I used example.com and got:
>>
>> src="http://j.maxmind.com/app/geoip.js"
>> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
>> geoip_country_name();
>>
>> Redirected to:
>>
>> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>>
>> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64 encoded.
>> Like you, I got a fake Login Live page. Although in English,
>> some of the internal html text was Portugese or Spanish (I can't tell
>> the difference), e.g:
>>
>> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>>
>>> By social engineering - you mean my friend might have encountered a
>>> fake hotmail login screen at some point in the past?
>>
>> Exactly; just like the page we're seeing here! Pretty much all the
>> content is from live.com but when you press "sign in" the thief gets
>> your account details. It's also tied to your email address by the b64
>> encoded string.
>
> I bit on something like that a couple of days ago, but it had something
> to do with a facebook page. Then a Facebook login page popped up and
> Firefox automatically filled in my login credentials. I clicked "Login"
> and the screen went away. But FaceBook never showed up.
> The more I thought about it, the fishier it looked.
> So I immediately logged into Facebook and changed my password.
> As much as I preach to my customers about being careful what you click
> on,
> I couldn't believe that I did it myself!



What's Facebook?

LOL.

--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

[Li'l Abner]

Aardvark <aardvark@aardvark.uk.tc> wrote in news:jnseal$ckb$1@dont-
email.me:

> On Wed, 02 May 2012 14:35:47 -0500, Li'l Abner wrote:
>
>> "Ant" <not@home.today> wrote in
>> news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:
>>
>>> "Virus Guy" wrote:
>>>
>>>> If you try this first, I think you'll find it will work without
having
>>>> the actual alpha-numeric code:
>>>>
>>>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>>>
>>> Yes, that worked. I used example.com and got:
>>>
>>> src="http://j.maxmind.com/app/geoip.js"
>>> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
>>> geoip_country_name();
>>>
>>> Redirected to:
>>>
>>> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>>>
>>> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64
encoded.
>>> Like you, I got a fake Login Live page. Although in English,
>>> some of the internal html text was Portugese or Spanish (I can't tell
>>> the difference), e.g:
>>>
>>> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>>>
>>>> By social engineering - you mean my friend might have encountered a
>>>> fake hotmail login screen at some point in the past?
>>>
>>> Exactly; just like the page we're seeing here! Pretty much all the
>>> content is from live.com but when you press "sign in" the thief gets
>>> your account details. It's also tied to your email address by the b64
>>> encoded string.
>>
>> I bit on something like that a couple of days ago, but it had
something
>> to do with a facebook page. Then a Facebook login page popped up and
>> Firefox automatically filled in my login credentials. I clicked
"Login"
>> and the screen went away. But FaceBook never showed up.
>> The more I thought about it, the fishier it looked.
>> So I immediately logged into Facebook and changed my password.
>> As much as I preach to my customers about being careful what you click
>> on,
>> I couldn't believe that I did it myself!
>
>
>
> What's Facebook?
>
> LOL.

Yeah, I know. I spend very little time on it. I only have 3 friends.
On FaceBook, that is... :-)


--
--- My mother never saw the irony in calling me a son-of-a-***** ---

[FromTheRafters]

Li'l Abner wrote:
> Aardvark<aardvark@aardvark.uk.tc> wrote in news:jnseal$ckb$1@dont-
> email.me:
>
>> On Wed, 02 May 2012 14:35:47 -0500, Li'l Abner wrote:
>>
>>> "Ant"<not@home.today> wrote in
>>> news:2JadnWezCv8m_DzSnZ2dnUVZ8iKdnZ2d@brightview.c o.uk:
>>>
>>>> "Virus Guy" wrote:
>>>>
>>>>> If you try this first, I think you'll find it will work without
> having
>>>>> the actual alpha-numeric code:
>>>>>
>>>>> hxxp://12345678.cw9.me/dd_****@off.com/12345678_ViewMsg
>>>>
>>>> Yes, that worked. I used example.com and got:
>>>>
>>>> src="http://j.maxmind.com/app/geoip.js"
>>>> top.location.href = '/redir_main.php?to=some@example.com&cty=' +
>>>> geoip_country_name();
>>>>
>>>> Redirected to:
>>>>
>>>> ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==
>>>>
>>>> The string c29tZUBleGFtcGxlLmNvbQ== is some@example.com base64
> encoded.
>>>> Like you, I got a fake Login Live page. Although in English,
>>>> some of the internal html text was Portugese or Spanish (I can't tell
>>>> the difference), e.g:
>>>>
>>>> meta content="El nuevo Hotmail ya está aquÃ*. Es un sistema...
>>>>
>>>>> By social engineering - you mean my friend might have encountered a
>>>>> fake hotmail login screen at some point in the past?
>>>>
>>>> Exactly; just like the page we're seeing here! Pretty much all the
>>>> content is from live.com but when you press "sign in" the thief gets
>>>> your account details. It's also tied to your email address by the b64
>>>> encoded string.
>>>
>>> I bit on something like that a couple of days ago, but it had
> something
>>> to do with a facebook page. Then a Facebook login page popped up and
>>> Firefox automatically filled in my login credentials. I clicked
> "Login"
>>> and the screen went away. But FaceBook never showed up.
>>> The more I thought about it, the fishier it looked.
>>> So I immediately logged into Facebook and changed my password.
>>> As much as I preach to my customers about being careful what you click
>>> on,
>>> I couldn't believe that I did it myself!
>>
>>
>>
>> What's Facebook?
>>
>> LOL.
>
> Yeah, I know. I spend very little time on it. I only have 3 friends.
> On FaceBook, that is... :-)
>
That's pitiful - or so I've heard.

Before I deactivated my Facebook account I logged on one day to find two
pages of Korean girls wanting to be my friend. I'm a friendly guy, but
not *that* friendly.