Question about hacking web-mail (hotmail) accounts

[Virus Guy]

Today I got a strange e-mail from a friend that I seldom have had e-mail
contact with.

He has a hotmail account, and header analysis shows that the e-mail did
indeed originate from hotmail.

The subject was simply "video.."

I've reproduced the message body as it appears in raw source format:

--------------5200e5eee77f48869a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a alt="{alpha-numeric-here}
{alpha-numeric-here}
{alpha-numeric-here}"
id="{alpha-numeric-here}
{alpha-numeric-here}"
href="alpha-numeric.cw9.me/[email protected]/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>

--------------5200e5eee77f48869a
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<b><span style="font-size: 20pt;">
<a alt="{alpha-numeric-here}
{alpha-numeric-here}
{alpha-numeric-here}"
id="{alpha-numeric-here}
{alpha-numeric-here}"
href="alpha-numeric.cw9.me/[email protected]/alpha-
numeric-here------_ViewMsg" >
Click here to read this message</a>
--------------5200e5eee77f48869a

Everywhere you see "alpha-numeric-here" is where there was a string of
seemingly random alpha-numeric characters. These strings were not
identical.

When viewed normally, there is only 1 line of text that says "Click here
to read this message". That line is hyper-linked to a URL at the domain
cw9.me. That domain appears to have been registered yesterday.

I'd like to hear your ideas as to what the link is supposed to do. It
appears to be a track-back link of some sort (enabling the server to log
valid e-mail addresses). It also seems to spawn a request to
maxmind.com (a domain that was blocked by my hosts file). A simple http
request to cw9.com spawns this re-direction:

http://j.maxmind.com/app/geoip.js

If you try it, and look at geoip.js, you'll see a brief IP-geolocation
report your IP address.

If you try cw9.com in a browser without any web-blocking, it looks like
you get hit with a bunch of advertizing.

So if anyone wants to follow up on what is being attempted by this URL,
please post back your analysis.

I had my friend with the comprimized hotmail account login into his
account and check his sent folder. Sure enough, there were lots of
examples of this e-mail being sent to all of his contacts. In my case,
based on looking at the e-mail headers, the perp seems to have logged in
from (or through) an IP address in Argentina.

So, if anyone here knows anything about the operational details of how a
web-mail account gets hacked and used, here are my questions:

1) why doesn't the perp (or the automated process behind these
activities) delete the spams it sends from the victim's sent-mail
folder?

2) why doesn't the perp (or the automated process) change the victim's
account password so that he/it has exclusive and continuous use of the
account?

3) and here's the 64 thousand dollar question -> is it known if these
accounts are comprimized through a password-cracking process, or was the
password knowable because the victim's personal computer (the computer
typically used to access the web-mail account) was hacked (trojanized,
keylogged, etc)?

What are the odds that my friend's computer (2-year-old win-7 machine of
some sort) is infected with something, and that "something" is how the
hackers learned of the hotmail password?

 

[Virus Guy]

That's not the full Hotmail header.

I said it was the full message body. There was no need to reproduce the
header (because it has no bearing on the context of my questions).

 

[David H. Lipman]

I said it was the full message body. There was no need to reproduce the
header (because it has no bearing on the context of my questions).

Except the source.

 

[Virus Guy]

Except the source.

I'm not following you.

The password for a hotmail account has become known to a third party
(call him a hacker, cracker, criminal, what-ever you want).

E-mails were sent through hotmail using the account's credentials.
Copies of those e-mails are present in the sent folder of the account.

I am most curious as to how the account password became comprimized.

How is you seeing the full header going to speak to that question?

 

[Virus Guy]

Can't tell without the alphanumerics, which is/are likely to be
affiliate code/s of some kind. Substituting random letters & numbers
gets a 404.

Ok, so after disabling my hosts file, I played around with the original
url by substituting a fake e-mail address. So for example, a wget
performed on this:

hxxp://xxxxxxxxxxxxxx.cw9.me/[email protected]/xxxxxxxxxxxxxxxxxxxxxn_ViewMsg

Results in this:

<script language="JavaScript" src="hxxp://j.maxmind.com/app/geoip.js">
</script>
<script> top.location.href = '/redir_main.php?to=****@off.com&cty=' +
geoip_country_name();
</script>

Clearly, they first want to get some geographic information about you
and then include that in the URL they redirect you to for the subsequent
redirections.

When run in a browser, I don't see the hit to maxmind.com, but instead I
see this:

hxxp://ww104.dbyli.com/track_main.php?id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&id=4

or sometimes here:

hxxp://internettestbank.com/d/alphanum%2F%2Fww66.dbyli.com%2Ftrack_main.php%3Fid%3Dalphanum%26id%3D4

Then here:

hxxp://ww140.dbyli.com/video_alphanun

Which interestingly was a fake Microsoft Live login screen - but only
the first time I hit it. All other attempts get redirected through
here:

http://ww104.dbyli.com/track_main.php?id=alphanum&id=4

And then land on page like these:

hxxp://www. rewardscentre.net/?session_id=12345678
hxxp://www. electronicssavingsoutlet.net/?session_id=12345678
hxxp://www. edealsandbargains.net/?session_id=12345678

If you try this first, I think you'll find it will work without having
the actual alpha-numeric code:

hxxp://12345678.cw9.me/[email protected]/12345678_ViewMsg

(or insert any fake e-mail address you want)

Seems to be some sort of auction scam for which you have to sign
up and pay a subscription.

Well, what-ever these things are, they don't seem to push any exploits
at you.

As to how they get login details, it's either social engineering
or malware - both very common.

By social engineering - you mean my friend might have encountered a fake
hotmail login screen at some point in the past?

 

[David W. Hodgins]

I am most curious as to how the account password became comprimized.

http://it.slashdot.org/story/12/04/...mail-0-day-flaw-after-widespread-exploitation

Regards, Dave Hodgins

 

[FromTheRafters]

I'm not following you.

The password for a hotmail account has become known to a third party
(call him a hacker, cracker, criminal, what-ever you want).

That might not be exactly true. I don't know the full details of how
hotmail works it, but in some cases where a password is used *only* the
client knows that password.

[...]

 

[FromTheRafters]

Yeah, I know. I spend very little time on it. I only have 3 friends.
On FaceBook, that is...

That's pitiful - or so I've heard.

Before I deactivated my Facebook account I logged on one day to find two
pages of Korean girls wanting to be my friend. I'm a friendly guy, but
not *that* friendly.