Topic 'Hotmail hacked?' in forum 'Scam and Phishbusters' - dslreports.com

Re: Hotmail hacked?

Sat, 27 Jun 2009 13:48:58 EDT

anon posted : I don't think it would be too much effort for the hotmail servers to filter out anything going into or from a particualr site once it's confirmed that the site is going through illegitamate means and spamming (or is it more difficult than I think?).

I wonder as users if there's anything we can do to return the favour and spam that particular website or somehow bring it down.

-Allan

Re: Hotmail hacked?

Wed, 24 Jun 2009 14:09:04 EDT

Oleg posted : Never click links or open e-mails from sender you don't know.

Re: Hotmail hacked?

Wed, 24 Jun 2009 12:02:12 EDT

Bootboiler posted : Below is a header from one last night, on my honey's computer, it sent a copy to her, this is the header from that. email addresses are modified. pw was easy, 9 char, two words that go together, like blackbear.

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MDtTQ0w9NA==
X-Message-Status: n:0
X-SID-PRA: Sue Heydt
X-SID-Result: Pass
X-Message-Info: jXuon5/YRm7j6Wz7om5I0k16g1jYmgsHoDxodSuOyCjR+sih+02LOegNdHHqmB8i6N99mMKaZ+m/IznqGFxsKJVEGEfRxaDh
Received: from bay0-omc2-s37.bay0.hotmail.com ([65.54.246.173]) by bay0-imc1-s17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 23 Jun 2009 19:47:34 -0700
Received: from BAY101-W3 ([64.4.56.103]) by bay0-omc2-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 23 Jun 2009 19:47:24 -0700
Message-ID:
Return-Path: su####er@hotmail.com
Content-Type: multipart/alternative;
boundary="_3dacc8f9-3e70-43e4-a5e5-d53b87b993f4_"
X-Originating-IP: [123.123.130.26]
From: Sue Heydt
Subject: RE:hi
Date: Wed, 24 Jun 2009 02:47:23 +0000
Importance: Normal
MIME-Version: 1.0
Bcc:
X-OriginalArrivalTime: 24 Jun 2009 02:47:24.0161 (UTC) FILETIME=[1A511710:01C9F476]

--_3dacc8f9-3e70-43e4-a5e5-d53b87b993f4_
Content-Type: text/plain; charset="ks_c_5601-1987"
Content-Transfer-Encoding: 8bit

Dear potential partner,
Do you need famous brand of electronic products with original quality and international warranty? Do you want to start your own business career for money making ?
What ever you are a small personal business or largest wholesale entity we also can provide your support to be our stable customers or agent.
We are largest wholesale business on consumming electronic products between America&China, laptops, Digital camera Videos,GPS,cellphone,mp4,game console and many other electronic products.which market is mainly in Europe,America,south Asia,Australia and Southen America.
There is much profit for you if you are our stable customer or agent.
For more information please contact as bellow :
Address£ºN0.15,Haidian District shangdi information road Beijing ,China
Tel(Fax)£º+861081836757
phone: +8615101621070
MSN£ºsangefa-vip@hotmail.com
E-mail: sangefa@188.com
WEB : www.sangefa.com

Re: Hotmail hacked?

Wed, 24 Jun 2009 11:57:58 EDT

anon posted : Below is a header from one last night, on my honey's computer, it sent a copy to her, this is the header from that. email addresses are modified. pw was easy, 9 char, two words that go together, like blackbear.

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MDtTQ0w9NA==
X-Message-Status: n:0
X-SID-PRA: Sue Heydt
X-SID-Result: Pass
X-Message-Info: jXuon5/YRm7j6Wz7om5I0k16g1jYmgsHoDxodSuOyCjR+sih+02LOegNdHHqmB8i6N99mMKaZ+m/IznqGFxsKJVEGEfRxaDh
Received: from bay0-omc2-s37.bay0.hotmail.com ([65.54.246.173]) by bay0-imc1-s17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 23 Jun 2009 19:47:34 -0700
Received: from BAY101-W3 ([64.4.56.103]) by bay0-omc2-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 23 Jun 2009 19:47:24 -0700
Message-ID:
Return-Path: su####er@hotmail.com
Content-Type: multipart/alternative;
boundary="_3dacc8f9-3e70-43e4-a5e5-d53b87b993f4_"
X-Originating-IP: [123.123.130.26]
From: Sue Heydt
Subject: RE:hi
Date: Wed, 24 Jun 2009 02:47:23 +0000
Importance: Normal
MIME-Version: 1.0
Bcc:
X-OriginalArrivalTime: 24 Jun 2009 02:47:24.0161 (UTC) FILETIME=[1A511710:01C9F476]

--_3dacc8f9-3e70-43e4-a5e5-d53b87b993f4_
Content-Type: text/plain; charset="ks_c_5601-1987"
Content-Transfer-Encoding: 8bit

Dear potential partner,
Do you need famous brand of electronic products with original quality and international warranty? Do you want to start your own business career for money making ?
What ever you are a small personal business or largest wholesale entity we also can provide your support to be our stable customers or agent.
We are largest wholesale business on consumming electronic products between America&China, laptops, Digital camera Videos,GPS,cellphone,mp4,game console and many other electronic products.which market is mainly in Europe,America,south Asia,Australia and Southen America.
There is much profit for you if you are our stable customer or agent.
For more information please contact as bellow :
Address£ºN0.15,Haidian District shangdi information road Beijing ,China
Tel(Fax)£º+861081836757
phone: +8615101621070
MSN£ºsangefa-vip@hotmail.com
E-mail: sangefa@188.com
WEB : www.sangefa.com

Re: Hotmail hacked?

Fri, 12 Jun 2009 19:24:24 EDT

MGD posted :

said by NormanS:

said by MGD:

Microsoft SMTPSVC(6.0.3790.3959);

I am presuming that line above does not mean that it was a true SMTP, like from an smtp client. My outbound hotmail sent via an SMTP client will not show in my "webmail" sent items.

On the basis of the version number? Or the agent name?

Just curious why you might think that 'Microsoft SMTPSVC(x.x.xxxx.xxxx)' would not be a "true SMTP", like from an SMTP client?

Good catch, Now that you bring it up, I am curious why I made that statement too !. It is incorrect,
'Microsoft SMTPSVC(x.x.xxxx.xxxx)' will show up in the headers regardless of whether the email originates from within a local SMTP client or is sent via the webmail interface.

As you mentioned in another post mail sent via an SMTP client will not show in the sent items of the webmail interface.

Apparently in some cases the hackers are copying the victim's address book and then spamming via a n smtp application. I am not sure if some victims are reporting that the spam does show in their webmail sent items or not. What most do report is that their accounts are altered, either set in auto respond away mode (with a copy of the spam) or a signature is added to include the spam which then appears in all subsequent outbound mail.

I am presuming based on the sheer volume of this epidemic, that this process may be somehow scripted by the scammers.

There is not a lot of feedback coming from the support people that identifies what the modus operandi is. I am sure they have to know by now. I do not believe that all the accounts are password cracked, nor do I believe that they are all phished. There is some other angle at work here.

MGD

Re: Hotmail hacked?

Thu, 11 Jun 2009 21:23:56 EDT

NormanS posted :

said by TearAbite:

After one of my wife's old hotmail accounts was sending out money requests to all of her contacts via Western Union for her "trip to nigera", i did some searching and found that it is indeed happening to a LOT of other people, beginning around January or so of this year.

Which is, coincidentally, about the time that Windows Live Hotmail began to reintroduce free POP3 access (which used to be allowed before Microsoft bought Hotmail).

And email sent via 'smtp.live.com' will not show up in the "Sent Items" folder of either the Web mail view, or the HTTPMail client.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Showing email sent from Hotmail to another account.
Showing the Windows Live Mail view of sent Hotmail.
Showing the Web view of sent Hotmail.

Re: Hotmail hacked?

Thu, 11 Jun 2009 19:15:37 EDT

NormanS posted :

On the basis of the version number? Or the agent name?

Return-path: Received: from kozue.aosake.net (192.168.102.34) by aosake.net (Mercury/32 v4.62) with ESMTP ID MG00004E;   11 Jun 2009 16:07:28 -0700Received: from KOZUE ([192.168.102.34]) by kozue.aosake.net with Microsoft SMTPSVC(6.0.2600.5512); Thu, 11 Jun 2009 16:07:28 -0700From: "Morris R. ze Kat" Subject: [TEST] Didn't work?To: ******@aosake.netUser-Agent: 40tude_Dialog/2.0.15.41MIME-Version: 1.0Content-Type: text/plain; charset="us-ascii"Content-Transfer-Encoding: 7bitSender: troll.feeder@kook.invalidOrganization: KookvilleDate: Thu, 11 Jun 2009 16:07:28 -0700Message-ID: <1s78jfw12si6d$.dlg@kat.dizum.com>X-Approved-By: The Other GuyX-OriginalArrivalTime: 11 Jun 2009 23:07:28.0140 (UTC) FILETIME=[63EB14C0:01C9EAE9]

Just curious why you might think that 'Microsoft SMTPSVC(x.x.xxxx.xxxx)' would not be a "true SMTP", like from an SMTP client?

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

Re: Hotmail hacked?

Mon, 18 May 2009 16:56:27 EDT

madylarian posted :

said by AVD:

Do you use facebook or skype or other social networking service that looks at your contact list to match up other potential users?

I do have MySpace and Facebook pages but there is no connection as I neither used the Hotmail address for them nor even allowed access to any contact lists or addressbooks.

mady
--
Honi soit qui mal y pense

Re: Hotmail hacked?

Mon, 18 May 2009 11:52:44 EDT

AVD posted : Do you use facebook or skype or other social networking service that looks at your contact list to match up other potential users?

Re: Hotmail hacked?

Sat, 16 May 2009 01:27:41 EDT

MGD posted :

said by Snowy:

said by MGD:

I presume they are using some script,...

Absolutely.
re 4 random letters combined with 4 random numbers isn't a hacker friendly combination by anyone's standards so my guess is it's not a mini brute force happening.

EDIT to add: it's always nice to be agree with but there's a lot more profit to made with that type of processing power than hacking hotmail accounts.
I was expecting to see a PW something like "letmeinnow!" ;)

Agree, that is millions of combinations for one account, not a productive method. If they are not all phished then maybe this direction: »www.google.com/search?hl=en&q=ha···aq=f&oq=

MGD

Re: Hotmail hacked?

Sat, 16 May 2009 01:25:37 EDT

madylarian posted :

said by MGD:

Interesting...

Do you routinely stay logged in to MSN while browsing the web, or is it set to auto log in. I am wondering how the MSN session id cookie behaves.

I only check Hotmail (and my other junk accounts) once a day. I close the window but I don't log out. However I did let Firefox save the password, so I am not sure if that is what you mean about auto log in. That is, when I go back the next day I don't have to log on again. Is that what you mean?

mady
--
Honi soit qui mal y pense

Re: Hotmail hacked?

Sat, 16 May 2009 01:12:38 EDT

Snowy posted :

said by MGD:

I presume they are using some script,...

Re: Hotmail hacked?

Sat, 16 May 2009 01:10:27 EDT

MGD posted : Interesting...

Do you routinely stay logged in to MSN while browsing the web, or is it set to auto log in. I am wondering how the MSN session id cookie behaves.

I know in the past a proof of concept with Gmail for example allowed a session login cookie to be hijacked and then used from another IP, though it was a complex process, that would appear to be way above this skill level.

I like Snowy 's potential scenario, there is an abundant supply of cheap labor There could be thousands gainfully employed testing pws 21/7.

124.135.246.67 does not show up on any listings, so I assume they are not spewing from that IP. Not a ptr on any IP in the route as soon as you hot the mainland:

[att=1]

MGD

Re: Hotmail hacked?

Sat, 16 May 2009 00:59:47 EDT

madylarian posted : MGD: They may not have sent it from my account but they sent it to the first 5 people on my contact list. I did send the headers to abuse@hotmail but I am not holding my breath for an answer. I have a feeling that the answer to your other questions is in the WindowsLive Help Forums, if you want to wade through them.

mady
--
Honi soit qui mal y pense

Re: Hotmail hacked?

Sat, 16 May 2009 00:58:32 EDT

MGD posted :

said by Snowy:

Your account was accessed from China which is not a surprise.
Since you've been able to change it, what was the hacked password?
IM works too.

I presume they are using some script, otherwise even if they were paying all those laid off Chineese workers to manually log in to every ones account, then it would still show up in the sent folder, if a webmail log in was used.

Microsoft SMTPSVC(6.0.3790.3959);

I am presuming that line above does not mean that it was a true SMTP, like from an smtp client. My outbound hotmail sent via an SMTP client will not show in my "webmail" sent items. However in madylarian 's case they had to at least log in via webmail in order to hijack her address book.

MGD

Re: Hotmail hacked?

Sat, 16 May 2009 00:52:29 EDT

madylarian posted : The password was 4 letters plus 4 numbers. The letters didn't spell anything, were not scrambled letters of a word, not in alpha order and not in any proximity on a keyboard. The numbers also were not in any particular order.

mady
--
Honi soit qui mal y pense

Re: Hotmail hacked?

Sat, 16 May 2009 00:52:17 EDT

MGD posted : Interesting, it appears in that case that the original mail did not originate from your machine. Rather from an IP in China. X-Originating-IP: [124.135.246.67]

IP 124.135.246.67
route: 124.128.0.0/13
descr: CNC Group CHINA169 Shandong Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060306
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-82993155
fax-no: +86-10-82993144
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC

person: Data Communication Bureau Shandong
nic-hdl: DS95-AP
e-mail: ip@sdinfo.net
address: No.77 Jingsan Road,Jinan,Shandong,P.R.China
phone: +86-531-6052611
fax-no: +86-531-6052414
country: CN
changed: ip@sdinfo.net 20050330
mnt-by: MAINT-CNCGROUP-SD
source: APNIC

However I like to see the "X-Originating-IP" show up again in the first received line. This would be preferable, where the X-originating also repeats in the first line:

quote:
...
..
Received: from 111.111.111.111 by BAY105-DAV11.phx.gbl with DAV;
Fri, 01 May 2009 13:58:56 +0000
X-Originating-IP: [111.111.111.111]
X-Originating-Email: [anyname@hotmail.com]
X-Sender: anyname@hotmail.com

Though in your case the foreign originating IP is substantiated by the fact that the mail is not in your sent box, which it would not be if it originated from IP 124.135.246.67 and was also sent sent via a script and not by going through an actual webmail login. So in your case your account credentials were used fom an IP in CHINA.

I wonder if there are other victims who do see the spam in sent items, or if they are all just reporting bounces.

MGD

Re: Hotmail hacked?

Sat, 16 May 2009 00:37:29 EDT

Snowy posted : Your account was accessed from China which is not a surprise.
Since you've been able to change it, what was the hacked password?
IM works too.

Re: Hotmail hacked?

Sat, 16 May 2009 00:22:15 EDT

madylarian posted : MGD: I was finally able to change my password. I guess I should have known that Hotmail doesn't play nice with Firefox.

To answer your other questions, I did see those other threads and there was nothing in my sent folder, no signature (I don't think I ever made one), no vacation response, and no embedded spamvertising other than that added by Hotmail.

And, as a matter of fact, I DO have one of the emails, including headers, from someone in my contact list. They are the person who told me this had happened. I'll post the headers below, but with email addresses redacted. FYI, I am on Comcast as is the recipient of this spam.

Microsoft Mail Internet Headers Version 2.0
Received: from PAOAKEXCSMTP01.cable.comcast.com ([10.52.116.30]) by
NJCHLEXCMB01.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 03:18:13 -0400
Received: from PACDCEXCSMTP04.cable.comcast.com ([24.40.15.118]) by
PAOAKEXCSMTP01.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 03:18:13 -0400
Received: from cable.comcast.com ([24.40.8.136]) by
PACDCEXCSMTP04.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 03:18:13 -0400
Received: from ([24.40.8.143])
by pacdcimi02.cable.comcast.com with ESMTP id 5503616.48522706;
Fri, 08 May 2009 03:17:49 -0400
Received: from ([65.54.246.76])
by pacdcedge01.cable.comcast.com with ESMTP id 5302275.EDGE;
Fri, 08 May 2009 03:17:48 -0400
Received: from BAY133-W11 ([65.55.138.46]) by bay0-omc1-s4.bay0.hotmail.com
with
Microsoft SMTPSVC(6.0.3790.3959);
Fri, 8 May 2009 00:17:48 -0700
Message-ID:
Return-Path: xxxxxx@hotmail.com
Content-Type: multipart/alternative;
boundary="_7480779a-6962-42dd-a54b-9ca742508180_"
X-Originating-IP: [124.135.246.67]
From:
To: , , ,
, ,
,
Subject: hi
Date: Fri, 8 May 2009 03:17:48 -0400
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 08 May 2009 07:17:48.0948 (UTC)
FILETIME=[17A0DD40:01C9CFAD]
X-esp: ESP=
SHA:
UHA:
BAYES:
SenderID:
DKIM:
TS:
SIG:
DSC:
TRU_embedded_image_spam:
TRU_phish_spam:
TRU_money_spam:
TRU_marketing_spam:
TRU_spam2:
TRU_medical_spam:
TRU_ru_spamsubj:
TRU_misc_spam:
TRU_adult_spam:
TRU_profanity_spam:
TRU_freehosting:
TRU_lotto_spam:
TRU_watch_spam:
TRU_urllinks:
TRU_scam_spam:
TRU_html_image_spam:
TRU_spam1:
TRU_playsites:
TRU_legal_spam:
URL Real-Time Signatures:
TRU_stock_spam:

--_7480779a-6962-42dd-a54b-9ca742508180_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

--_7480779a-6962-42dd-a54b-9ca742508180_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

--_7480779a-6962-42dd-a54b-9ca742508180_--

mady
--
Honi soit qui mal y pense

Re: Hotmail hacked?

Sat, 16 May 2009 00:13:45 EDT

MGD posted : Yes, they could run consecutive scripts after a wait time from multiple IPs and over time go through a load of passwords. I am not sure what the account lock out settings are for Hotmail.

They can also accrue the contacts in each account to provide a never ending pool of addresses. nwrickert 's phishing scenario is also valid, as I am sure they are not limiting themselves to a single vector. The issue for Live Help though is that there are such a wide range of victims that their error is just assuming that every compromised account report equals a victim who was conned out of their password or has an infected machine.

Many of the reports also describe an after effect of a malfunctioning account. Presumably the operation of sending spam to batches of a half dozen addresses at a time, and the addition of a spam signature is also a scripted event.

Though there are a considerable amount of similar reports over a long period, I do not see any reports of the known method of compromise, or detailed analysis. Clearly though, the purpose is identical, and the accounts appear "borrowed".

MGD

Re: Hotmail hacked?

Fri, 15 May 2009 23:49:18 EDT

Snowy posted :

said by MGD:

There is something else at work here, and it may involve direct scripting exploits at their end, or insecure session cookies that can be hijacked.

It could also be as fundamental as a common list of fairly uncommon passwords, or even common ones for that matter.
I suppose it wouldn't be too difficult to query a few hundred thousand hotmail accounts in a day using one less login attempt than would trigger an account lockout with hotmail, or anyone else.

Re: Hotmail hacked?

Fri, 15 May 2009 23:44:02 EDT

MGD posted : Selling knock off Apple products from China too, in 2008 many of these fake clones ended up on Ebay, all were useless junk.

Nice, anytime you see VISA and MASTERCARD logos alongside a WESTERN UNION logo, that means that they never accept credit card payments, only cash via WU. WU logos over rule all others, and will be the only form of payment accepted.

Lots of Flash, plus online chat, may not show up in siteshots:

»Aebcc.com
Snapped 2009-05-15 23:40:29

[imaging failed]
»Aoa8.com
Snapped 2009-05-15 23:40:11

»Aobcc.com
Snapped 2009-05-15 23:40:10

»Aobcc.net
Snapped 2009-05-15 23:39:51

»Buy-hot.com
Snapped 2009-05-15 23:39:29

»Buy-hot.net
Snapped 2009-05-15 23:39:09

»Elebc.com
Snapped 2009-05-15 23:38:46

»Malls-hot.com
Snapped 2009-05-15 23:38:26

»Sell-good.com
Snapped 2009-05-15 23:38:07

[imaging failed]
»Shopping333.com
Snapped 2009-05-15 23:37:48

EDIT=

Just about every search of any related domain name, or email address keyword brings up "someone is sending emails from my account" scattered over the last few months: »www.google.com/search?hl=en&q=ae···aq=f&oq=

MGD

Results for 58.30.225.41

01. Aebcc.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS
02. Aoa8.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS
03. Aobcc.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS
04. Aobcc.net = SCAM FRAUD SPAMMERS FAKE PRODUCTS
05. Buy-hot.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS
06. Buy-hot.net = SCAM FRAUD SPAMMERS FAKE PRODUCTS
07. Elebc.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS
08. Malls-hot.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS
09. Sell-good.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS
10. Shopping333.com = SCAM FRAUD SPAMMERS FAKE PRODUCTS

Re: Hotmail hacked?

Fri, 15 May 2009 23:19:07 EDT

MGD posted :

said by madylarian:

..... Hotmail has a problem and they seem to refuse to acknowledge it.

mady

That identical issue has also been occurring with Yahoo accounts. Complaints about the Hotmail hijacking go back to at least the third quarter of 2008, with the identical scenario. The spam is always for domains registered in China, selling cheap counterfeit knock offs of everything from clothing to electronics.

You can see pages of reports of the identical spam with the same format of missing spaces in the text: »www.google.com/search?hl=en&q=%2···erful%22

Without the forced quotations more are pulled in: »www.google.com/search?hl=en&q=He···aq=f&oq=

I agree that it is most likely not a phishing issue, possibly related to session cookie hijacking, or some other flaw. The interesting fact is that many victims passwords are not changed, so I presume we can rule out some form of account resetting. Many victims also report that their account now contains an embedded signature of the spam that is sent along with every out bound mail that the victim subsequently processes.

I read you other forum post: »windowslivehelp.com/community/t/22022.aspx and if I understand it correctly, your password was not changed, though you are unable to change it now? Also, you said that the outbound spam mail does not show in your sent items? You don't by chance have a copy from one of the people in your address book, so that you can see from the headers what the originating IP was.?

I believe that there was a recent report in this forum about the identical issue, maybe several posts.

Here is a report from that above Google link from circa 12/2008: »www.hisstank.com/forum/general-d···unt.html

I also think that there could be a scripting exploit on Hotmail's servers, see these peculiar reports for example: »scoundrelpublishing.com/spart/vi···c93a748d

All have the common modus operandi though, batches of out bound mail to address contacts, all spamming the same type of Chinese domains.

In fact the one you listed sell-good.com is hosted on a server in China with other domains that also show up in victim reports:

Search Results for 58.30.225.41 [no reverse DNS set]

10 Results for 58.30.225.41 (Sell-good.com)

Website

01. Aebcc.com
02. Aoa8.com
03. Aobcc.com
04. Aobcc.net
05. Buy-hot.com
06. Buy-hot.net
07. Elebc.com
08. Malls-hot.com
09. Sell-good.com
10. Shopping333.com

Many seem to rotate between two DNS servers:

Sell-good.com

History:

2009-01-15 Transfer FROM 53dns.com TO 71one.com
2009-04-22 Transfer FROM 71one.com TO 53dns.com

A check of sites using the 53dns is inconclusive:

»www.gwebtools.com/ns-spy/dns1.53dns.com

Agree with Snowy I think Hotmail is missing the ball with that boiler plate response. There is something else at work here, and it may involve direct scripting exploits at their end, or insecure session cookies that can be hijacked.

Live Help has been sprouting that same secure your account response since back in December of 2008: »windowslivehelp.com/community/p/···024.aspx However there are enough reports from people who do not appear to have compromised PCs, or were phished. That earlier link has one victim who had all three of his hotmail accounts compromised simultaneoulsy.

MGD

Re: Hotmail hacked?

Fri, 15 May 2009 20:31:43 EDT

madylarian posted :

said by nwrickert:

It defies common sense that user side machines are being compromised for hotmail credentials.

These are not phishing emails. So far all of the ones I've seen are the same as the one I got:

Dear firend,
Hello.How are you doing recently?Some days ago, I came across a wonderful
electronic company on the web and had a pleasant chat with the sales manager who
can offer various kinds of digital products,such as the phone s, T V, noteboo
k, video, computers, Mp 4, GP S,PS 3, digital cameras and so on. He told me that
they are planning to lower the prices greatly in order to adapt to the global
economic crisis, so that they can expand their overseas market! I have bought a
computer,and i am very satisfied with their items and services.If you have
time,you can have a look.
Their website: sell-good.com

Their Email: sellgood@188.com
Their Msn: sell-good@msn.com

Do a search on "sell-good.com", or check these:
»windowslivehelp.com/community/t/22022.aspx
»windowslivehelp.com/community/t/35178.aspx

Hotmail has a problem and they seem to refuse to acknowledge it.

mady
--
Honi soit qui mal y pense

Re: Hotmail hacked?

Fri, 15 May 2009 20:13:54 EDT

Snowy posted : The larger, more organized groups that are involved with the exploitation of home machines for commercial purposes don't parse the data manually. It's done via keyword scripts & sometimes I may see an occasional "gmail" or "mail.yahoo" entry, I can't recall ever seeing "hotmail" used as a keyword.
I suppose a smaller operator might believe the few cents they would get for that info justifies the effort but the cost in terms of "lost" machines due to the rightful owner getting a heads up that they have may have a compromised machine because of a compromised hotmail account makes it a losing proposition.
But then again, anything is possible because trying to figure out what makes some of these people tick is next to impossible.

Re: Hotmail hacked?

Fri, 15 May 2009 20:11:53 EDT

nwrickert posted :

It defies common sense that user side machines are being compromised for hotmail credentials.

We see phishing activity to get student and faculty authentication data, and then the compromised accounts are used for spamming. It isn't the user machine being compromised in that case, but it also isn't the server being compromised.

I assume that the same kind of phishing activity goes on with hotmail, yahoo, gmail and similar services.

Incidentally, the phish mails I have seen for this typically ask for a response by email, so they don't contain any phish url that could be listed with »/phishtrack
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.10

Re: Hotmail hacked?

Fri, 15 May 2009 19:54:02 EDT

TearAbite posted : I'd disagree that accounts being compromised on the user end defies common sense, but i do agree that Hotmail accounts being hacked is on the increase. After one of my wife's old hotmail accounts was sending out money requests to all of her contacts via Western Union for her "trip to nigera", i did some searching and found that it is indeed happening to a LOT of other people, beginning around January or so of this year.

We use only Mac's, so the chances of one of our machines being compromised is very low - so something is going on here.

Re: Hotmail hacked?

Fri, 15 May 2009 19:48:33 EDT

Snowy posted : It's extremely irresponsible of hotmail to suggest that the problem is a user side problem. It defies common sense that user side machines are being compromised for hotmail credentials. Gathering hotmail credentials from compromised home machines isn't an activity I've ever seen or expect to ever see & trust me, I've seen a lot! :)

Hotmail hacked?

Fri, 15 May 2009 18:56:16 EDT

madylarian posted : I wasn't sure if this should go here or the Security forum, so mods can move it if it's in the wrong place.

After a spam was sent from my Hotmail account (which I only use for junk mail), I did some searching and found that this has happened to a LOT of people. The spam is for sell-good.com and typically is sent to everyone in one's contact list. I found posts about this back in March, but evidently it is still happening and Hotmail is being too damn quiet about it. Even posts about it in the WindowsLive forums only get canned responses to make sure their computers are not infected.

I don't care if I lose the Hotmail account as I have others that are equally useful and junk account accounts. What bothers me is that it appears as if Hotmail only wants to point a finger at the users when they need to look at their own servers!

Btw, yes, I am sure my computer is clean. Besides my installed and up-to-date antivirus, antimalware, and antispyware programs, scans by TrendMicro, Hijackthis and Malwarebytes were checked by one of DSLR's own experts.

mady
--
Honi soit qui mal y pense