Author |
Message |
Blake
| Posted on Thursday, February 18, 2010 - 03:07 pm: |
|
A friends hotmail email account has been hacked. I've not been able to contact him yet, just left a message on his voicemail at home. I don't know if this is an isolated case or indicative of something more widespread. The email message was as follows:
Hello, I'm writing this with tears in my eyes,i came down here to London,England for a short vacation and i got mugged at gun point last night at the park of the hotel where i lodged all cash,credit cards and cell were stolen off me. I am even owing the hotel here,the hotel manager won't let me leave until i settle the hotel bills now am freaked out.So i have limited access to emails for now, please i need you to lend me some money so i can make arrangements and return back I am full of panic now,the police only asked me to write a statement about the incident and directed me to the embassy,i have spoken to the embassy here but they are not responding to the matter effectively, I will return the money back to you as soon as i get home, I am so confused right now.i wasn't injured because I complied immediately. I will be waiting to hear from you. Kind Regards [name redacted]. The originating email address was verified and valid, but when you look at the email header information and find the initial originating IP, it shows up as follows:
X-Originating-IP: [41.219.223.222] Checking the origin of that IP shows that it is Nigerian. Beware folks! If they don't refer to you by name, and if they claim a hotel is holding them (illegal), then it is likely a phishing scam, even if you recognize the email address and find that it is valid. Any web experts know anything about this? I read a report that a bunch of servers had been attacked recently, but this is different. Yet it may be a result of data mining operations? |
Hootowl
| Posted on Thursday, February 18, 2010 - 03:14 pm: |
|
His account may not have been compromised. Forging the "from" address in SMTP is ridiculously simple. |
Drkside79
| Posted on Thursday, February 18, 2010 - 03:17 pm: |
|
Same thing with facebook and pretty much everything else. If you cant talk face to face never send anything and never respond |
Blake
| Posted on Thursday, February 18, 2010 - 04:12 pm: |
|
It wasn't forged. The header would have revealed that. |
Froggy
| Posted on Thursday, February 18, 2010 - 04:24 pm: |
|
If it was forged, how would it have known Blakes email and the guys name? My guess is spyware on his computer, or his account was compromised. How did it happened? Could be a number of ways. I have seen some really convincing looking "phishing" sites that look identical to normal pages like Hotmail.com, but the username and password boxes are bogus and just collect whatever you put in. |
Trackdad
| Posted on Thursday, February 18, 2010 - 04:27 pm: |
|
My BIL had the same thing happen to him right before Christmas! Same type of BS announcement and $$$. |
Babired
| Posted on Thursday, February 18, 2010 - 04:40 pm: |
|
Blake I got the same one and I just talked to him his e-mail was hacked. K I posted it on stormfronts DC thread |
Swordsman
| Posted on Thursday, February 18, 2010 - 04:48 pm: |
|
I had a Chinese company hack my Gmail account, send spam advertisements to all my contacts, and then blanked my contact list. Luckily they didn't go to the trouble of deleting all my emails as well (I have years of them stored up!). That was a major PITA to rebuild that contact list. It was my own fault for having a stupid-simple 4-character password. If they can crack this new one, they deserve to get in. ~SM |
Hootowl
| Posted on Thursday, February 18, 2010 - 05:07 pm: |
|
Malware is likely, but since the origin was Nigeria, I figured it was simply forged. Does hotmail have servers in Nigeria? If his PC was the origin of the email (malware) the originating IP would not be in Nigeria. |
Blake
| Posted on Thursday, February 18, 2010 - 05:22 pm: |
|
Hotmail documents the originating IP of the computer that is accessing its webmail feature, yes? Pretty sure it does, as do other prevalent webmail providers. Here's the header info with email addresses removed to foil the spambots: Delivered-To: (my gmail email addy) Received: by 10.216.45.139 with SMTP id p11cs44943web; Thu, 18 Feb 2010 09:53:21 -0800 (PST) Received: by 10.224.73.29 with SMTP id o29mr2713301qaj.31.1266515600080; Thu, 18 Feb 2010 09:53:20 -0800 (PST) Return-Path: (sender's hotmail email addy) Received: from snt0-omc4-s12.snt0.hotmail.com (snt0-omc4-s12.snt0.hotmail.com [65.55.90.215]) by mx.google.com with ESMTP id 8si3364381qwj.11.2010.02.18.09.53.19; Thu, 18 Feb 2010 09:53:20 -0800 (PST) Received-SPF: pass (google.com: domain of (sender's hotmail email addy) designates 65.55.90.215 as permitted sender) client-ip=65.55.90.215; Authentication-Results: mx.google.com; spf=pass (google.com: domain of (sender's hotmail email addy) designates 65.55.90.215 as permitted sender) smtp.mail=(sender's hotmail email addy) Received: from SNT115-W7 ([65.55.90.201]) by snt0-omc4-s12.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 18 Feb 2010 09:52:37 -0800 Message-ID: <SNT115-W7898A32D7630F5587C9FBA9470@phx.gbl> Return-Path: (sender's hotmail email addy) Content-Type: multipart/alternative; boundary="_4515745a-e76a-4d10-93ca-00952b2c1d14_" X-Originating-IP: [41.219.223.222] Reply-To: (sender's hotmail email addy) From: (sender's name and hotmail email addy) Subject: Help!!! Date: Thu, 18 Feb 2010 17:52:36 +0000 Importance: Normal MIME-Version: 1.0 Bcc: X-OriginalArrivalTime: 18 Feb 2010 17:52:37.0272 (UTC) FILETIME=[282E6180:01CAB0C3] --_4515745a-e76a-4d10-93ca-00952b2c1d14_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable |
Hootowl
| Posted on Thursday, February 18, 2010 - 05:32 pm: |
|
Thanks for posting the header. Can't really tell what's going on without that. I had no idea an email composed in a web browser would have the IP of the originator embedded in the SMTP header. SMTP was born long before the whole web mail portal concept. Seems to me like the sender was simply using an SMTP mail client. That would definitely have the sender IP in the header. Anybody know for sure? |
Ulynut
| Posted on Thursday, February 18, 2010 - 05:43 pm: |
|
I got one of those about 3 years ago. It was suspicious because my friends never ask for money, so I asked the person what my nickname was in high school, and they never responded. So I knew it was a scam. I let my friend know this, and he changed all his bank accounts as well as Email address. |
Hootowl
| Posted on Thursday, February 18, 2010 - 05:55 pm: |
|
I just sent myself an email from my gmail account (I don't have hotmail) and nowhere in the header does the public IP address of the machine I was on when I sent it appear. It only has the IP addresses of the servers that processed the mail. In a client based SMTP email, the client machine is part of the chain. Doesn't appear to be the case with a web based mail portal. Hotmail may be different. |
Blake
| Posted on Monday, February 22, 2010 - 12:47 pm: |
|
Good to know. Must just be a hotmail thing. Sure seems like something that ought to be included in the transmitted email info though. |
Hootowl
| Posted on Monday, February 22, 2010 - 01:46 pm: |
|
I'm sure Hotmail has a log of the event, but SMTP was born long before spam came to be. It was not designed with security in mind, and at the time, no one had even heard of a web mail portal. It's essentially telnet, but on a different port. The SMTP part of the conversation doesn't start at your web browser, so the SMTP header should not contain your IP. |
Doon
| Posted on Monday, February 22, 2010 - 02:04 pm: |
|
Nope that email was composed in the hotmail UI (IE via the web..) If it came via external Client there would have been different headers in there, indicating how it was injected (XMLRPC / etc...). My guess is password either bruteforced or obtained via keylogger/phish. This seems to be a pretty common scam, try to get friends to western union money to $badguys, before the compromised account is found out. Yes hootowl, Google doesn't include the originating IP (Much to the chagrin of anti-spam fighters like myself), but most other webmail services do. (Hotmail, yahoo.. etc..) Normally it will show up in the option X-originating-IP header, or sometimes it will show up in Received header, such as received from x.z.y.23 via HTTP.... There are tons and tons and tons of different received lines out there, which makes parsing them all and getting the exact information you want out of the headers a PITA sometimes... |
Hootowl
| Posted on Monday, February 22, 2010 - 02:35 pm: |
|
Thanks Doon, that's very interesting. Odd that a company who claims "don't be evil" as their mantra, would set up their wildly popular mail services so as to make spam fighting more difficult when the capability obviously exists to embed the browser IP into the mail. |
Doon
| Posted on Monday, February 22, 2010 - 02:48 pm: |
|
hootowl. Don't be evil == marketing Now I think it is is don't be too evil. or don't be caught doing evil. I've had mixed reasons. Some say it is a privacy issue, some say it is a architecture issue, ie there are some many different machines it could hit/bounce around, it gets lost, etc..) The problem is that is a huge double edged sword. I can't outright just block all of gmail from sending to our users. With thing like hotmail we can look at the injection point, and go hmm, Nigeria, oh and the content mentions bank account/ etc.. Then ratchet up the score as it has even greater possibility of being 419, etc... |
Reepicheep
| Posted on Monday, February 22, 2010 - 05:24 pm: |
|
Here is what I think happened... Delivered-To: (my gmail email addy) Received: by 10.216.45.139 with SMTP id p11cs44943web; Thu, 18 Feb 2010 09:53:21 -0800 (PST) Received: by 10.224.73.29 with SMTP id o29mr2713301qaj.31.1266515600080; Thu, 18 Feb 2010 09:53:20 -0800 (PST) Return-Path: (sender's hotmail email addy) Received: from snt0-omc4-s12.snt0.hotmail.com (snt0-omc4-s12.snt0.hotmail.com [65.55.90.215]) by mx.google.com with ESMTP id 8si3364381qwj.11.2010.02.18.09.53.19; Thu, 18 Feb 2010 09:53:20 -0800 (PST) Received-SPF: pass (google.com: domain of (sender's hotmail email addy) designates 65.55.90.215 as permitted sender) client-ip=65.55.90.215; Authentication-Results: mx.google.com; spf=pass (google.com: domain of (sender's hotmail email addy) designates 65.55.90.215 as permitted sender) smtp.mail=(sender's hotmail email addy) Everything above here you can trust as far as you can trust google. Google inserted it. Received: from SNT115-W7 ([65.55.90.201]) by snt0-omc4-s12.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 18 Feb 2010 09:52:37 -0800 Message-ID: <snt115-w7898a32d7630f5587c9fba9470@phx.gbl> Return-Path: (sender's hotmail email addy) Content-Type: multipart/alternative; boundary="_4515745a-e76a-4d10-93ca-00952b2c1d14_" X-Originating-IP: [41.219.223.222] The part above here (before the google part) was inserted by Hotmail. I think Hotmail is trying to tell us this was a remote user client (outlook?) using SMTP protocols to send email from their local machine (41.219.223.222), which is a Nigerian IP address (surprise surprise). SMTP can (AFAIK) be either authenticated or unauthenticated. Seems irrational to use an unauthenticated SMTP and put the "hotmail" seal of approval on it, but it wouldn't be the first really stupid thing Microsoft has done in terms of security. Reply-To: (sender's hotmail email addy) From: (sender's name and hotmail email addy) Subject: Help!!! Date: Thu, 18 Feb 2010 17:52:36 +0000 Importance: Normal MIME-Version: 1.0 Bcc: X-OriginalArrivalTime: 18 Feb 2010 17:52:37.0272 (UTC) FILETIME=[282E6180:01CAB0C3] --_4515745a-e76a-4d10-93ca-00952b2c1d14_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable } The rest of this is whatever the heck the client wants to make up, which means it could be anything. So either Microsoft is running a non authenticated SMTP server (which could make it really easy to pretend to be any hotmail user based on big spam mailing lists), or it is authenticated, but at some point the victim got a password compromised. SMTP is non encrypted, so I suspect any bot on the same physical network that is sniffing the wire can intercept the password (though I have not reviewed the specific SMTP authentication standards, perhaps it is public key, but I doubt it). If you were using only web mail clients, and only using HTTPS (SSL), the wire sniffer CANNOT get anything useful besides the domain you visited. So ironically, webmail via HTTPS is far more secure then local mail on your local machine. See if your buddy ever uses outlook or outlook express connected up to his hotmail account. If so, that's probably how he got popped. Some other machine on a network he was on using it was popped, sniffed the password from the wire (trivial), and sent that credential to a Russian or Chinese drop box, and the credentials were then sold to some Nigerian for about 50 cents (if he bought them in bulk). |
Hootowl
| Posted on Monday, February 22, 2010 - 05:40 pm: |
|
Spyware harvested password is most likely what happened. You have to have access to network hardware to sniff a password. Not impossible, but not likely either. Not as likely as spyware. Or just a flat out weak password that they brute forced. I also though it was an email client that sent the mail, but I'm no messaging expert, and I've been wrong before. Just ask my ex-wife. |
Whatever
| Posted on Monday, February 22, 2010 - 08:02 pm: |
|
Those friggin turds did the same thing to me, but I got a hold of the hotel in London that they indicated was holding the passport because this was a very dear friend of mine... took some effort as cell would not allow an international call... I reported them to FBI IC3 online. I am still pissed... |
Vampress
| Posted on Monday, February 22, 2010 - 08:26 pm: |
|
We get this junk all the time. Not quite hacking, just fairly specific spam. Got a couple last week from "USPS" asking me to open the attached 'invoice' to recieve my parcel (zip file attached!) A few from a Nigerian banker who happened across 10 million dollars and (wouldn't ya know it...) the real heir just died. If I only had of sent that $1000 to get the ball rolling huh? I even get Russian brides asking me to marry them!! Hahaha The virus files are scary though if you didn't know what to look for. It scares me that my father is now on the internet...he is totally clueless to this stuff. I even had to buy his cell phone for him before he gave the world his credit details. They're making the emails more personally engaging today. Even the cookie bearing spam emails with the 'forward this or you will have bad luck yada yada play well on people's conscience. |
|