Wednesday, April 11, 2012

Hacked Hotmail accounts... and the consequences

It's a trend I'm seeing more and more, even with some of my relatives:

Their Hotmail account is getting hacked, and from then on is being used by scammers or malware authors to spread their malicious intent.

In almost all cases, you'll receive an email with (No Subject), and the only content is a link pointing to some website. But wait: it seems that all those websites have (probably an outdated version of) Wordpress installed.

When you click the link, you will be redirected to either a scam/phishing page or scareware/rogueware.

Either way, you'll first get the following message:


Message you receive when clicking on the link

So let's take a closer look at the 2 scenarios you get on your plate:

Scenario #1 - scam


Scam page

In scenario number one, you'll be presented with an awesome News page, where you can read several testimonials of how great working from home is.

It also has some fascinating news stories on how to make lots of money by simply being at your comfortable home. This includes reactions on the articles - of course this is all fake.

If you click on any of the links on this website, you'll be ultimately redirected to - hxxp://internetprofitpacket.com

Administrative Contact:
WhoisGuard
WhoisGuard Protected
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US


UrlQuery Result:
Suspicious
http://urlquery.net/report.php?id=40849

URLvoid Result:
1/25 (4.00%)
http://www.urlvoid.com/scan/internetprofitpacket.com/


Ultimately you land on the following page:


Landing page where you'll need to pay

After paying a small price, you'll get lifetime access to the Internet Profit Package ! What honor !

Obviously, you'll get scammed and your credit card details might get stolen.


Scenario #2 - scareware

Likewise as in scenario #1, you'll get the nice message that you got here thanks to your friend.


Seems like you're infected ... right ?

You'll then be presented with a pop-up indicating critical process activity has been found and a scan will be launched... (I think we all know this one by now) :


Fake Explorer window indicating numerous infections

If you click on any button, a file will be downloaded with the name of setup.exe.

In this case, the file was downloaded from:
hxxp://fail-safetylow.info/bb61f9bcec711d56/29/setup.exe

This site and several other rogueware pages are hosted on the IP:
64.120.207.107


Several other rogueware sites are hosted on this IP


We'll now see some more details about the downloaded file:

setup.exe
Result: 5/40
MD5: 8b0c16a50c0bca1eb0b45bd411eb30e5
VirusTotal Report
ThreatExpert Report
Anubis Report

This file drops another executable:

Protector-hfpt.exe
Result: 5/42
MD5: f04cb906356f19a1dbf68c62f162c4e7
VirusTotal Report
Anubis Report


The payload is a rogueware called "Windows Antibreaking System" :


Windows Antibreaking System setup screen



Windows Antibreaking System main screen


Prevention

- Most important of all: use a strong password ! You can verify your current password, or create a new one to check its strength on the following website: http://www.passwordmeter.com

- Second important rule:
don't use the same password for each and every website !

- Be wary when receiving such a mail, even if it's from someone you know.

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons are for example WOT or NoScript.

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:
  • a) For Google Chrome: chrome.exe or chrome.exe *32
  • b) For Mozilla Firefox: firefox.exe or firefox.exe *32
  • c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32


Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

BleepingComputer's Virus Removal


Also, if you know the sender personally, notify him/her that they've been hacked and they need to change their password. If you don't know the sender, immediately remove the email.

In Hotmail, you even have a useful option if you know the sender. Open the email, select Mark as and click on My friend's been hacked!


Help your friend by stating (s)he's been hacked


If you happen to have a Wordpress website, be sure to update it regularly as well as any Wordpress plugins you may have installed. This website will aid you in the matter: Hardening WordPress



Conclusion

Don't fall for either of these, in both cases you'll lose a lot of money !

Follow the above prevention tips to decrease the chance of your computer becoming infected.

12 comments:

  1. ummm ... Prevention ... most important of all ... use a unique password for hotmail ... don't use that password with any other websites

    ReplyDelete
    Replies
    1. Good point indeed. I have added it to the prevention tips.

      Delete
  2. Thanks for taking the time to explain all of this so clearly and with so much details for those that do not have the skills or cannot expend in the effort to investigate.
    My Hotmail was hijacked and I am pretty sure it was not a key logger so more likely MS had a breach of their Hotmail database in the past 8 years (when I last changed pwd)!
    I dug up some info. in my own quest to get to the root of this. This person is hijacking sites with weak security or ones that have not been set up yet(default pwd?). He then puts his clone page (of the same site) under a Sub directory on the Website - under themes or styles, etc. If you access the site using default directory then you get the normal page the real owner of created with no Trojan or Malware but if you access the hacked version of the page using the Email link AND pass a variable in the link then you get the dreaded scan pop-up.
    I looked the the sent folder and found the Emails the hacker had sent. They originated from [79.116.212.208] (Romania) and [46.134.218.228] (Spain) but for all i know they could be Zombie machines and the poor user does not know it their PC is controlled from elsewhere.
    In my case the links sent pointed to a inactive site and an active one, both hosted through "DreamHost" in CA.
    Here is one bogus link (notice it is buried under Themes and passing a variable) www.emlakkonutprojeleri.com/wp-content/themes/continuum/tifle.html?=
    eefv=3Dezs.jdg&jmi=3Dte.hkml&shc=3Dtctf

    I would have thought tracing the culprit to be as simple as tracing the merchant ID of the entity that turned in the credit card transactions, but I guess not.

    ReplyDelete
    Replies
    1. Hi Shahin,

      Thanks for sharing your analysis ! As stated in a previous post, site owners using Wordpress should take actions to secure their website.

      Most importantly by performing Wordpress updates and plugins they might be using.

      There is indeed no sure way to say if it's sent from an infected computer(/zombie) or not. Best thing to do is contact your relatives as soon as possible to not click on any of the links you(read: the hacker) might have sent out.

      Cheers !

      Delete
  3. My hotmail account also got recently hijacked. An email message with an empty subject field and a body containing just one link was apparently sent to everybody on my contact list, plus addresses that I had received mail from but are not on my contact list.

    The link varied among messages, one example being

    http://ichorentertainment.com/blog//wp-content/plugins/zdexeiuourc/site.php?expression225.img

    The sites being linked to vary, but the site.php file is common to all the messages. Download and examination (in a Unix system!) reports

    "site.php: UTF-8 Unicode HTML document text, with very long lines, with CRLF, LF line terminators"

    The links actually ends up redirecting to a legitimate web site (Unicef).

    The analysis of the header of one message received in a Unix system shows an X-Originating IP in Indonesia and the messages as having been sent from actual hotmail servers. However, no copies of them were left in my "Sent" folder, although my configuration is sent messages to be saved.

    I am including below the message source, with some fields removed for privacy.

    Thanks for your work!

    J. Brazio

    ========================================
    X-Account-Key: account1
    X-UIDL: 00010ad54c4d5b53
    X-Mozilla-Status: 1003
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-Path: <****@hotmail.com>
    X-Original-To: ****@lx.it.pt
    Delivered-To: ****@lx.it.pt
    Received: from barracuda.lx.it.pt (barracuda.lx.it.pt [193.136.221.155])
    by cascais.lx.it.pt (Postfix) with ESMTP id B15FF17A20064
    for <****@lx.it.pt>; Wed, 18 Jul 2012 15:43:56 +0100 (WEST)
    X-ASG-Debug-ID: 1342622893-01e97b296f007a0001-G1WwBh
    Received: from col0-omc1-s12.col0.hotmail.com (col0-omc1-s12.col0.hotmail.com [65.55.34.22]) by barracuda.lx.it.pt with ESMTP id n1gsiA9CeVIiyDUg for <****@lx.it.pt>; Wed, 18 Jul 2012 15:48:13 +0100 (WEST)
    X-Barracuda-Envelope-From: ****@hotmail.com
    X-Barracuda-Apparent-Source-IP: 65.55.34.22
    Received: from COL102-W12 ([65.55.34.7]) by col0-omc1-s12.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
    Wed, 18 Jul 2012 07:48:10 -0700
    Message-ID:
    X-Barracuda-BBL-IP: 65.55.34.7
    X-Barracuda-RBL-IP: 65.55.34.7
    X-Originating-IP: [117.74.119.120]
    From: **** <****@hotmail.com>
    To: ****
    Subject:
    Date: Wed, 18 Jul 2012 14:48:10 +0000
    X-ASG-Orig-Subj:
    Importance: Normal
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    MIME-Version: 1.0
    X-OriginalArrivalTime: 18 Jul 2012 14:48:10.0870 (UTC) FILETIME=[5A053160:01CD64F4]
    X-Barracuda-Connect: col0-omc1-s12.col0.hotmail.com[65.55.34.22]
    X-Barracuda-Start-Time: 1342622893
    X-Barracuda-URL: http://barracuda.lx.it.pt:8000/cgi-mod/mark.cgi
    X-Virus-Scanned: by bsmtpd at lx.it.pt


    http://www.leopiccolo.com.ar/dev/dermatologia/wp-content/plugins/zoqlhnfdxc=
    f/site.php?cave225.gif

    ==========================================

    ReplyDelete
    Replies
    1. Hi J,

      Thanks for your detailed report ! I suspect they found out their Wordpress was hacked and removed the malware.

      Another possibility is the malware authors were only looking for certain Browser/User Agents and if not matched, redirect to Unicef for example.

      Cheers !

      Delete
  4. thanks for getting nice information

    ReplyDelete
  5. my account is hacked what i do for get back my account

    ReplyDelete
    Replies
    1. Hi,

      What to Do If Your Hotmail Account Is Hacked or Hijacked:
      http://social.technet.microsoft.com/wiki/contents/articles/1477.what-to-do-if-your-hotmail-account-is-hacked-or-hijacked.aspx

      Delete
  6. nice blog.. good replies. I agree with the replies given in here..I understood many things from this blog. thanks to all for providing such a nice information

    ReplyDelete
  7. Thank you for the excellent article. What I do for creating unique passwords for different websites and applications is add the first two letters of the application at the end.of the password. For example, with Facebook I add a 'fa' at the end of the password and so on.

    I have a blog on Internet security and privacy -- http://www.internetsecurity101.net -- so find your blog particularly interesting and informative.

    ReplyDelete
  8. Thank you for the excellent article. What I do for creating unique passwords for different websites and applications is add the first two letters of the application at the end.of the password. For example, with Facebook I add a 'fa' at the end of the password and so on.

    I have a blog on Internet security and privacy -- http://www.internetsecurity101.net -- so find your blog particularly interesting and informative.

    ReplyDelete