Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Question about hacking web-mail (hotmail) accounts

21 views
Skip to first unread message

Virus Guy

unread,
May 1, 2012, 7:44:32 PM5/1/12
to
Today I got a strange e-mail from a friend that I seldom have had e-mail
contact with.

He has a hotmail account, and header analysis shows that the e-mail did
indeed originate from hotmail.

The subject was simply "video.."

I've reproduced the message body as it appears in raw source format:

--------------5200e5eee77f48869a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a alt="{alpha-numeric-here}
{alpha-numeric-here}
{alpha-numeric-here}"
id="{alpha-numeric-here}
{alpha-numeric-here}"
href="alpha-numeric.cw9.me/dd_...@my-domain.tld/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>

--------------5200e5eee77f48869a
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a alt="{alpha-numeric-here}
{alpha-numeric-here}
{alpha-numeric-here}"
id="{alpha-numeric-here}
{alpha-numeric-here}"
href="alpha-numeric.cw9.me/dd_...@my-domain.tld/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>
--------------5200e5eee77f48869a

Everywhere you see "alpha-numeric-here" is where there was a string of
seemingly random alpha-numeric characters. These strings were not
identical.

When viewed normally, there is only 1 line of text that says "Click here
to read this message". That line is hyper-linked to a URL at the domain
cw9.me. That domain appears to have been registered yesterday.

I'd like to hear your ideas as to what the link is supposed to do. It
appears to be a track-back link of some sort (enabling the server to log
valid e-mail addresses). It also seems to spawn a request to
maxmind.com (a domain that was blocked by my hosts file). A simple http
request to cw9.com spawns this re-direction:

http://j.maxmind.com/app/geoip.js

If you try it, and look at geoip.js, you'll see a brief IP-geolocation
report your IP address.

If you try cw9.com in a browser without any web-blocking, it looks like
you get hit with a bunch of advertizing.

So if anyone wants to follow up on what is being attempted by this URL,
please post back your analysis.

I had my friend with the comprimized hotmail account login into his
account and check his sent folder. Sure enough, there were lots of
examples of this e-mail being sent to all of his contacts. In my case,
based on looking at the e-mail headers, the perp seems to have logged in
from (or through) an IP address in Argentina.

So, if anyone here knows anything about the operational details of how a
web-mail account gets hacked and used, here are my questions:

1) why doesn't the perp (or the automated process behind these
activities) delete the spams it sends from the victim's sent-mail
folder?

2) why doesn't the perp (or the automated process) change the victim's
account password so that he/it has exclusive and continuous use of the
account?

3) and here's the 64 thousand dollar question -> is it known if these
accounts are comprimized through a password-cracking process, or was the
password knowable because the victim's personal computer (the computer
typically used to access the web-mail account) was hacked (trojanized,
keylogged, etc)?

What are the odds that my friend's computer (2-year-old win-7 machine of
some sort) is infected with something, and that "something" is how the
hackers learned of the hotmail password?

David H. Lipman

unread,
May 1, 2012, 8:14:26 PM5/1/12
to
From: "Virus Guy" <Vi...@Guy.com>
That's not the full Hotmail header.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Virus Guy

unread,
May 1, 2012, 8:32:07 PM5/1/12
to
"David H. Lipman" wrote:

> That's not the full Hotmail header.

I said it was the full message body. There was no need to reproduce the
header (because it has no bearing on the context of my questions).

David H. Lipman

unread,
May 1, 2012, 9:19:05 PM5/1/12
to
From: "Virus Guy" <Vi...@Guy.com>
Except the source.

Virus Guy

unread,
May 1, 2012, 9:29:00 PM5/1/12
to
"David H. Lipman" wrote:

> >> That's not the full Hotmail header.
> >
> > I said it was the full message body. There was no need to
> > reproduce the header (because it has no bearing on the
> > context of my questions).
>
> Except the source.

I'm not following you.

The password for a hotmail account has become known to a third party
(call him a hacker, cracker, criminal, what-ever you want).

E-mails were sent through hotmail using the account's credentials.
Copies of those e-mails are present in the sent folder of the account.

I am most curious as to how the account password became comprimized.

How is you seeing the full header going to speak to that question?

Ant

unread,
May 2, 2012, 7:51:10 AM5/2/12
to
"Virus Guy" wrote:

> href="alpha-numeric.cw9.me/dd_...@my-domain.tld/alpha-numeric-here------_ViewMsg"

> Everywhere you see "alpha-numeric-here" is where there was a string of
> seemingly random alpha-numeric characters. These strings were not
> identical.

> I'd like to hear your ideas as to what the link is supposed to do.

Can't tell without the alphanumerics, which is/are likely to be
affiliate code/s of some kind. Substituting random letters & numbers
gets a 404.

Going to cw9.me by itself gets a line of script:

top.location.href ='track_main.php?u=404';

following that (with or without "?u=404") gets two one-line scripts:

src="http://j.maxmind.com/app/geoip.js"
top.location.href = 'track_main.php?cty=' + geoip_country_name();

So, translating that for where I am gets:

cw9.me/track_main.php?cty=United%20Kingdom

That gets a page with a javascript alert and meta-refresh:

"To continue, fill the form and click Sign Up button"
location.href="h**p://tnktrck.com/?a=5326&c=6054&s1=";

That redirects (302) to the same URL but using https (SSL) and that
redirects to:

www .tracklead.net/click.track?CID=206574&AFID=136366&ADID=741355&SID=5326

which redirects to:

www .ziinga.com/partners/pair/uk/ewa-cpl-uk/ewa-cpl-uk?subId=136366

which redirects to:

www .ziinga.com/landing/uk_big_savings.php/?subId=136366

Seems to be some sort of auction scam for which you have to sign up
and pay a subscription.

> So, if anyone here knows anything about the operational details of how a
> web-mail account gets hacked and used, here are my questions:

The answer to your first two about why tracks are not covered is that
"spammers are stupid" - see "the rules of spam".

As to how they get login details, it's either social engineering or
malware - both very common.


Virus Guy

unread,
May 2, 2012, 8:45:21 AM5/2/12
to
Ant wrote:

> Can't tell without the alphanumerics, which is/are likely to be
> affiliate code/s of some kind. Substituting random letters & numbers
> gets a 404.

Ok, so after disabling my hosts file, I played around with the original
url by substituting a fake e-mail address. So for example, a wget
performed on this:

hxxp://xxxxxxxxxxxxxx.cw9.me/dd_...@off.com/xxxxxxxxxxxxxxxxxxxxxn_ViewMsg

Results in this:

<script language="JavaScript" src="hxxp://j.maxmind.com/app/geoip.js">
</script>
<script> top.location.href = '/redir_main.php?to=fu...@off.com&cty=' +
geoip_country_name();
</script>

Clearly, they first want to get some geographic information about you
and then include that in the URL they redirect you to for the subsequent
redirections.

When run in a browser, I don't see the hit to maxmind.com, but instead I
see this:

hxxp://ww104.dbyli.com/track_main.php?id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&id=4

or sometimes here:

hxxp://internettestbank.com/d/alphanum%2F%2Fww66.dbyli.com%2Ftrack_main.php%3Fid%3Dalphanum%26id%3D4

Then here:

hxxp://ww140.dbyli.com/video_alphanun

Which interestingly was a fake Microsoft Live login screen - but only
the first time I hit it. All other attempts get redirected through
here:

http://ww104.dbyli.com/track_main.php?id=alphanum&id=4

And then land on page like these:

hxxp://www. rewardscentre.net/?session_id=12345678
hxxp://www. electronicssavingsoutlet.net/?session_id=12345678
hxxp://www. edealsandbargains.net/?session_id=12345678

If you try this first, I think you'll find it will work without having
the actual alpha-numeric code:

hxxp://12345678.cw9.me/dd_...@off.com/12345678_ViewMsg

(or insert any fake e-mail address you want)

> Seems to be some sort of auction scam for which you have to sign
> up and pay a subscription.

Well, what-ever these things are, they don't seem to push any exploits
at you.

> As to how they get login details, it's either social engineering
> or malware - both very common.

By social engineering - you mean my friend might have encountered a fake
hotmail login screen at some point in the past?

Ant

unread,
May 2, 2012, 12:31:03 PM5/2/12
to
"Virus Guy" wrote:

> If you try this first, I think you'll find it will work without having
> the actual alpha-numeric code:
>
> hxxp://12345678.cw9.me/dd_...@off.com/12345678_ViewMsg

Yes, that worked. I used example.com and got:

src="http://j.maxmind.com/app/geoip.js"
top.location.href = '/redir_main.php?to=so...@example.com&cty=' + geoip_country_name();

Redirected to:

ww15.buwna.com/video_c29tZUBleGFtcGxlLmNvbQ==

The string c29tZUBleGFtcGxlLmNvbQ== is so...@example.com base64 encoded.
Like you, I got a fake Login Live page. Although in English, some of
the internal html text was Portugese or Spanish (I can't tell the
difference), e.g:

meta content="El nuevo Hotmail ya está aquí. Es un sistema...

> By social engineering - you mean my friend might have encountered a fake
> hotmail login screen at some point in the past?

Exactly; just like the page we're seeing here! Pretty much all the
content is from live.com but when you press "sign in" the thief gets
your account details. It's also tied to your email address by the b64
encoded string.


David W. Hodgins

unread,
May 2, 2012, 1:15:02 PM5/2/12
to
On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Vi...@guy.com> wrote:

> I am most curious as to how the account password became comprimized.

http://it.slashdot.org/story/12/04/27/1311255/microsoft-patches-major-hotmail-0-day-flaw-after-widespread-exploitation

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

David H. Lipman

unread,
May 2, 2012, 1:40:05 PM5/2/12
to
From: "David W. Hodgins" <dwho...@nomail.afraid.org>

> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Vi...@guy.com> wrote:
>
>> I am most curious as to how the account password became comprimized.
>
> http://it.slashdot.org/story/12/04/27/1311255/microsoft-patches-major-hotmail-0-day-flaw-after-widespread-exploitation
>

That explians why the flood of Job Fraud emails via compromised HotMail
accounts I have received stopped around that time frame.

Thanx Dave

Li'l Abner

unread,
May 2, 2012, 3:35:47 PM5/2/12
to
"Ant" <n...@home.today> wrote in
news:2JadnWezCv8m_DzS...@brightview.co.uk:
I bit on something like that a couple of days ago, but it had something to
do with a facebook page. Then a Facebook login page popped up and Firefox
automatically filled in my login credentials. I clicked "Login" and the
screen went away. But FaceBook never showed up.
The more I thought about it, the fishier it looked.
So I immediately logged into Facebook and changed my password.
As much as I preach to my customers about being careful what you click on,
I couldn't believe that I did it myself!

--
--- My mother never saw the irony in calling me a son-of-a-bitch ---

FromTheRafters

unread,
May 2, 2012, 4:13:21 PM5/2/12
to
Virus Guy wrote:
> "David H. Lipman" wrote:
>
>>>> That's not the full Hotmail header.
>>>
>>> I said it was the full message body. There was no need to
>>> reproduce the header (because it has no bearing on the
>>> context of my questions).
>>
>> Except the source.
>
> I'm not following you.
>
> The password for a hotmail account has become known to a third party
> (call him a hacker, cracker, criminal, what-ever you want).

That might not be exactly true. I don't know the full details of how
hotmail works it, but in some cases where a password is used *only* the
client knows that password.

[...]

Ant

unread,
May 2, 2012, 4:25:01 PM5/2/12
to
"David W. Hodgins" wrote:

> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy wrote:
>> I am most curious as to how the account password became comprimized.
>
> http://it.slashdot.org/story/12/04/27/1311255/microsoft-patches-major-hotmail-0-day-flaw-after-widespread-exploitation

That's a password-reset vulnerability. In this case there was no
password change so, unless there's another Hotmail bug, I believe
it's more likely that social engineering or malware was involved.


Ant

unread,
May 2, 2012, 4:25:48 PM5/2/12
to
"Li'l Abner" wrote:

> I bit on something like that a couple of days ago, but it had something to
> do with a facebook page. Then a Facebook login page popped up and Firefox
> automatically filled in my login credentials. I clicked "Login" and the
> screen went away. But FaceBook never showed up.
> The more I thought about it, the fishier it looked.
> So I immediately logged into Facebook and changed my password.
> As much as I preach to my customers about being careful what you click on,
> I couldn't believe that I did it myself!

Yep, it's fairly easy to fall for these tricks if you're not paying
attention.

As always it's a balance between ease of use and security. Don't allow
browsers to store passwords; don't click on things you haven't
deliberately launched; don't use webmail like Hotmail, Yahoo or Gmail,
instead use a proper SMTP mail service like one your ISP may provide.

You think the general public will do this? No chance! They've no idea
that you don't need a browser to do email or that there's more to the
internet than "twitbook".


David H. Lipman

unread,
May 2, 2012, 6:54:45 PM5/2/12
to
From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

> From: "David W. Hodgins" <dwho...@nomail.afraid.org>
>
>> On Tue, 01 May 2012 21:29:00 -0400, Virus Guy <Vi...@guy.com> wrote:
>>
>>> I am most curious as to how the account password became comprimized.
>>
>> http://it.slashdot.org/story/12/04/27/1311255/microsoft-patches-major-hotmail-0-day-flaw-after-widespread-exploitation
>>
> That explians why the flood of Job Fraud emails via compromised HotMail
> accounts I have received stopped around that time frame.
>

Damn - Just got another one :-(

Aardvark

unread,
May 2, 2012, 7:00:38 PM5/2/12
to
What's Facebook?

LOL.

--
"Any man's death diminishes me, because I am involved
in mankind, and therefore never send to know for whom
the bell tolls; it tolls for thee".
-John Donne (1572-1631)

Li'l Abner

unread,
May 2, 2012, 9:59:53 PM5/2/12
to
Aardvark <aard...@aardvark.uk.tc> wrote in news:jnseal$ckb$1@dont-
email.me:
Yeah, I know. I spend very little time on it. I only have 3 friends.
On FaceBook, that is... :-)
Message has been deleted
Message has been deleted
0 new messages