Their Hotmail account is getting hacked, and from then on is being used by scammers or malware authors to spread their malicious intent.
In almost all cases, you'll receive an email with (No Subject), and the only content is a link pointing to some website. But wait: it seems that all those websites have (probably an outdated version of) Wordpress installed.
When you click the link, you will be redirected to either a scam/phishing page or scareware/rogueware.
Either way, you'll first get the following message:
Message you receive when clicking on the link
So let's take a closer look at the 2 scenarios you get on your plate:
Scenario #1 - scam
Scam page
In scenario number one, you'll be presented with an awesome News page, where you can read several testimonials of how great working from home is.
It also has some fascinating news stories on how to make lots of money by simply being at your comfortable home. This includes reactions on the articles - of course this is all fake.
If you click on any of the links on this website, you'll be ultimately redirected to - hxxp://internetprofitpacket.com
Administrative Contact:
WhoisGuard
WhoisGuard Protected
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
UrlQuery Result:
Suspicious
http://urlquery.net/report.php?id=40849
URLvoid Result:
1/25 (4.00%)
http://www.urlvoid.com/scan/internetprofitpacket.com/
Ultimately you land on the following page:
Landing page where you'll need to pay
After paying a small price, you'll get lifetime access to the Internet Profit Package ! What honor !
Obviously, you'll get scammed and your credit card details might get stolen.
Scenario #2 - scareware
Likewise as in scenario #1, you'll get the nice message that you got here thanks to your friend.
Seems like you're infected ... right ?
You'll then be presented with a pop-up indicating critical process activity has been found and a scan will be launched... (I think we all know this one by now) :
Fake Explorer window indicating numerous infections
If you click on any button, a file will be downloaded with the name of setup.exe.
In this case, the file was downloaded from:
hxxp://fail-safetylow.info/bb61f9bcec711d56/29/setup.exe
This site and several other rogueware pages are hosted on the IP:
64.120.207.107
Several other rogueware sites are hosted on this IP
We'll now see some more details about the downloaded file:
setup.exe
Result: 5/40
MD5: 8b0c16a50c0bca1eb0b45bd411eb30e5
VirusTotal Report
ThreatExpert Report
Anubis Report
This file drops another executable:
Protector-hfpt.exe
Result: 5/42
MD5: f04cb906356f19a1dbf68c62f162c4e7
VirusTotal Report
Anubis Report
The payload is a rogueware called "Windows Antibreaking System" :
Windows Antibreaking System setup screen
Windows Antibreaking System main screen
Prevention
- Most important of all: use a strong password ! You can verify your current password, or create a new one to check its strength on the following website: http://www.passwordmeter.com
- Second important rule: don't use the same password for each and every website !
- Be wary when receiving such a mail, even if it's from someone you know.
- Use browser extentions to verify the integrity of an image or URL. Useful add-ons are for example WOT or NoScript.
- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.
- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:
- a) For Google Chrome: chrome.exe or chrome.exe *32
- b) For Mozilla Firefox: firefox.exe or firefox.exe *32
- c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32
Desinfection
If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:
BleepingComputer's Virus Removal
Also, if you know the sender personally, notify him/her that they've been hacked and they need to change their password. If you don't know the sender, immediately remove the email.
In Hotmail, you even have a useful option if you know the sender. Open the email, select Mark as and click on My friend's been hacked!
Help your friend by stating (s)he's been hacked
If you happen to have a Wordpress website, be sure to update it regularly as well as any Wordpress plugins you may have installed. This website will aid you in the matter: Hardening WordPress
Conclusion
Don't fall for either of these, in both cases you'll lose a lot of money !
Follow the above prevention tips to decrease the chance of your computer becoming infected.
ummm ... Prevention ... most important of all ... use a unique password for hotmail ... don't use that password with any other websites
ReplyDeleteGood point indeed. I have added it to the prevention tips.
DeleteThanks for taking the time to explain all of this so clearly and with so much details for those that do not have the skills or cannot expend in the effort to investigate.
ReplyDeleteMy Hotmail was hijacked and I am pretty sure it was not a key logger so more likely MS had a breach of their Hotmail database in the past 8 years (when I last changed pwd)!
I dug up some info. in my own quest to get to the root of this. This person is hijacking sites with weak security or ones that have not been set up yet(default pwd?). He then puts his clone page (of the same site) under a Sub directory on the Website - under themes or styles, etc. If you access the site using default directory then you get the normal page the real owner of created with no Trojan or Malware but if you access the hacked version of the page using the Email link AND pass a variable in the link then you get the dreaded scan pop-up.
I looked the the sent folder and found the Emails the hacker had sent. They originated from [79.116.212.208] (Romania) and [46.134.218.228] (Spain) but for all i know they could be Zombie machines and the poor user does not know it their PC is controlled from elsewhere.
In my case the links sent pointed to a inactive site and an active one, both hosted through "DreamHost" in CA.
Here is one bogus link (notice it is buried under Themes and passing a variable) www.emlakkonutprojeleri.com/wp-content/themes/continuum/tifle.html?=
eefv=3Dezs.jdg&jmi=3Dte.hkml&shc=3Dtctf
I would have thought tracing the culprit to be as simple as tracing the merchant ID of the entity that turned in the credit card transactions, but I guess not.
Hi Shahin,
DeleteThanks for sharing your analysis ! As stated in a previous post, site owners using Wordpress should take actions to secure their website.
Most importantly by performing Wordpress updates and plugins they might be using.
There is indeed no sure way to say if it's sent from an infected computer(/zombie) or not. Best thing to do is contact your relatives as soon as possible to not click on any of the links you(read: the hacker) might have sent out.
Cheers !
My hotmail account also got recently hijacked. An email message with an empty subject field and a body containing just one link was apparently sent to everybody on my contact list, plus addresses that I had received mail from but are not on my contact list.
ReplyDeleteThe link varied among messages, one example being
http://ichorentertainment.com/blog//wp-content/plugins/zdexeiuourc/site.php?expression225.img
The sites being linked to vary, but the site.php file is common to all the messages. Download and examination (in a Unix system!) reports
"site.php: UTF-8 Unicode HTML document text, with very long lines, with CRLF, LF line terminators"
The links actually ends up redirecting to a legitimate web site (Unicef).
The analysis of the header of one message received in a Unix system shows an X-Originating IP in Indonesia and the messages as having been sent from actual hotmail servers. However, no copies of them were left in my "Sent" folder, although my configuration is sent messages to be saved.
I am including below the message source, with some fields removed for privacy.
Thanks for your work!
J. Brazio
========================================
X-Account-Key: account1
X-UIDL: 00010ad54c4d5b53
X-Mozilla-Status: 1003
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <****@hotmail.com>
X-Original-To: ****@lx.it.pt
Delivered-To: ****@lx.it.pt
Received: from barracuda.lx.it.pt (barracuda.lx.it.pt [193.136.221.155])
by cascais.lx.it.pt (Postfix) with ESMTP id B15FF17A20064
for <****@lx.it.pt>; Wed, 18 Jul 2012 15:43:56 +0100 (WEST)
X-ASG-Debug-ID: 1342622893-01e97b296f007a0001-G1WwBh
Received: from col0-omc1-s12.col0.hotmail.com (col0-omc1-s12.col0.hotmail.com [65.55.34.22]) by barracuda.lx.it.pt with ESMTP id n1gsiA9CeVIiyDUg for <****@lx.it.pt>; Wed, 18 Jul 2012 15:48:13 +0100 (WEST)
X-Barracuda-Envelope-From: ****@hotmail.com
X-Barracuda-Apparent-Source-IP: 65.55.34.22
Received: from COL102-W12 ([65.55.34.7]) by col0-omc1-s12.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 18 Jul 2012 07:48:10 -0700
Message-ID:
X-Barracuda-BBL-IP: 65.55.34.7
X-Barracuda-RBL-IP: 65.55.34.7
X-Originating-IP: [117.74.119.120]
From: **** <****@hotmail.com>
To: ****
Subject:
Date: Wed, 18 Jul 2012 14:48:10 +0000
X-ASG-Orig-Subj:
Importance: Normal
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 18 Jul 2012 14:48:10.0870 (UTC) FILETIME=[5A053160:01CD64F4]
X-Barracuda-Connect: col0-omc1-s12.col0.hotmail.com[65.55.34.22]
X-Barracuda-Start-Time: 1342622893
X-Barracuda-URL: http://barracuda.lx.it.pt:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at lx.it.pt
http://www.leopiccolo.com.ar/dev/dermatologia/wp-content/plugins/zoqlhnfdxc=
f/site.php?cave225.gif
==========================================
Hi J,
DeleteThanks for your detailed report ! I suspect they found out their Wordpress was hacked and removed the malware.
Another possibility is the malware authors were only looking for certain Browser/User Agents and if not matched, redirect to Unicef for example.
Cheers !
thanks for getting nice information
ReplyDeletemy account is hacked what i do for get back my account
ReplyDeleteHi,
DeleteWhat to Do If Your Hotmail Account Is Hacked or Hijacked:
http://social.technet.microsoft.com/wiki/contents/articles/1477.what-to-do-if-your-hotmail-account-is-hacked-or-hijacked.aspx
nice blog.. good replies. I agree with the replies given in here..I understood many things from this blog. thanks to all for providing such a nice information
ReplyDeleteThank you for the excellent article. What I do for creating unique passwords for different websites and applications is add the first two letters of the application at the end.of the password. For example, with Facebook I add a 'fa' at the end of the password and so on.
ReplyDeleteI have a blog on Internet security and privacy -- http://www.internetsecurity101.net -- so find your blog particularly interesting and informative.
Thank you for the excellent article. What I do for creating unique passwords for different websites and applications is add the first two letters of the application at the end.of the password. For example, with Facebook I add a 'fa' at the end of the password and so on.
ReplyDeleteI have a blog on Internet security and privacy -- http://www.internetsecurity101.net -- so find your blog particularly interesting and informative.