Nerds On Site

Windows LIVE email and password theft

In light of reduced SPAM as of late, I was somewhat surprised to see phishing and theft attempts as sophisticated as this come through to my inboxes today – at least one in each of my different email addresses, but all came from email accounts of friends on Facebook. I searched the major anti-virus and malware vendors as well as google and twitter and nothing turned up, so maybe I\’m just one of the first to be hit. Here\’s a message I received, and a similar one in each of my mailboxes:
\"\"
A few other variations are as follows:
SUBJECT: Very good
BODY: Click here to read this message
SUBJECT: wooow
BODY: click here to see the attached video
In each case the \”click here…\” is hyperlinked to somethingrandom.l13.me and the URL also contains the actual email address of you, the recipient.
It appears the originator of this spam/phishing attack at the very least is validating email addresses of people opening the message.
I also tried checking Google\’s SafeBrowsing service at this URL:
http://www.google.com/safebrowsing/diagnostic?site=l13.me
At the time of this writing, here is the result showing that it has not detected any malware on this site. I suspect this will change overnight:
\"\"
In case some great SPAM researchers come across this article, here is the full RAW source (except my email address has been replaced with [email protected]):
Part 1 of 2:
\"\"
Part 2 of 2:
\"\"
If you choose to click on URL in the email itself, that\’s when the spammer\’s phishing attack begins, and will prompt you for your Windows Live username & password. Note that it is NOT live.com, however, which means you\’re giving your username and password directly to the thief:
\"\"
As you might expect, the domain itself (l13.me) was only registered a week ago, and has its real ownership disguised:
\"\"
The same domain ownership disguise applies to videos4you.net where the phishing is actually hosted.
And finally, when I check to see where all the \”click here to view this message\” are being served from (somethingsomewhere.l13.me) they point to IP address 69.64.54.99 which is registered to Hosting Solutions International:
\"\"
Naturally, I have advised the abuse email address of this clearly-malicious intent and hope to have a quick response. I don\’t have any misgivings about how quickly the attacker can direct web traffic to a new host, or start generating spam with a newly-created domain elsewhere. The cat-and-mouse games just continue…
I just hope this anatomy of this particular SPAM message helps somebody somewhere avoid these types of traps, and perhaps we can all find a solution to cleaner and more productive email.
UPDATE #1:
IF you\’re a victim, here is Microsoft\’s article on what to do:
http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Victim

Leave a Comment

Your email address will not be published.

Scroll to Top