[security] Hotmail account hacked. What now?

[BeerFan]

Hello folks,

My personal Hotmail account was hacked yesterday. I knew something was up when I fired up my email program in the morning and received a message saying that my password was invalid. So, I went to the Hotmail site, entered my normal credentials, and received the same message there. Knowing that I hadn't changed my password in a few months, I clicked on the "I forgot my password" link. Hotmail gave me the option to have a password link sent to an alternative account, but the email address it listed was a Yahoo that was not mine, so i couldn't not successfully reset my own password. Doh!

Next, i went back to my email program, put it in Offline Mode, and checked the messages in my Sent folder. Sure enough, there was a message from a spammer with very poor English and begging for a few thousand Euros there that had been sent to everyone in my contacts list. Doh x2!

So, my next step was to contact Hotmail's customer support. They have a long list of questions to answer if you think your account has been compromised. I answered all of their questions and submitted my info. Within half an hour, I received a reply with a password reset link. (They sent this reply to an external email address that I specified.) I successfully reset my password and had access to my Hotmail again, and immediately sent a follow-up apology to my contacts, stating that the previous email could be ignored and that I had NOT been robbed while traveling in Madrid.

Next step was to check my email settings. The hacker had changed my settings so that all incoming email would be automatically forwarded to an account that was not mine. I fixed that, then went in and also changed my security questions. I also went and changed my passwords for every other online banking, personal info, social networking, etc site that I have bookmarks for. I spent about 1.5 hours making sure I had covered all the bases.

So, my questions are: 1) How the heck did this happen? Was it likely just a "brute force" attack? My previous password was an fairly strong combination of upper and lowercase letters, numbers, and a special character that did not contain any words, wasn't guessable, and was 8 characters long.

And 2) What else do I need to do? Should I ditch the Hotmail account altogether? Do I need to worry about my home PC's security? I'm running a fully-updated Windows 7 Ultimate x64 with MSE and MalwareBytes. I'm considering a wipe / reinstall for good measure (and because it has been 7 months since last install).

Thanks in advance for your input. (Y)

[xdot.tk]

Format and reinstall.

[cork1958]

Format and reinstall.

You've got to be kidding me?!

Wow!

A WHOLE 7 months since last install? What the heck do you do for a living, TRY to ruin computers?!!

I have 8 Windows 7 machines that have NEVER been reinstalled and are as clean and fast as the day I installed 7, which was a couple days after it came out. Never have been able to figure out why so many people, here especially, are always suggesting format and do it so often?

If you must and are THAT paranoid, just do a thorough scan with Malwarebyts, your AV and what ever other malware program you have, in safe mode.

Ditch that crap a** not so hot, Hotmail also. Easily one of the worst e-mails in existence!

[xdot.tk]

Only way to be sure he is rid of the infection. ;)

BTW, read my sig ;)

[fenderMarky]

Ditch that crap a** not so hot, Hotmail also. Easily one of the worst e-mails in existence!

Sorry, not now.

[spacer]

You've got to be kidding me?!

Wow!

A WHOLE 7 months since last install? What the heck do you do for a living, TRY to ruin computers?!!

I have 8 Windows 7 machines that have NEVER been reinstalled and are as clean and fast as the day I installed 7, which was a couple days after it came out. Never have been able to figure out why so many people, here especially, are always suggesting format and do it so often?

If you must and are THAT paranoid, just do a thorough scan with Malwarebyts, your AV and what ever other malware program you have, in safe mode.

Ditch that crap a** not so hot, Hotmail also. Easily one of the worst e-mails in existence!

There is no AV that is 100% accurate in detection or cleaning. If your system is compromised there is no way running an AV is safer than reformatting and starting from scratch.

[LACSr]

While spacer is correct "There is no AV that is 100% accurate in detection or cleaning." I would give this procedure a go before making the decision to reformat: http://forums.cnet.com/7726-6132_102-5098912.html?tag=posts;msg5165373

If those scans come back clean, then you should be good. Now if you are still paranoid, then the only way to make really sure is to get a new hard drive, remove the old hard drive and start over with a clean install. Do not let the present system see the new hard drive. This is even safer than reformatting and starting from scratch. It depends on the paranoia.

[ckempo]

Have you got anything attached to that account? I'm thinking specifically of an Xbox LIVE account?

If yes, do you have any EA games for which you've had to sign up for the EA online account rubbish?

[Steven P. Administrators]

At OP: Sounds like you covered your bases pretty good there.. and as for the password hack, I really couldn't tell you how that happened! :s

A reinstall of Windows is probably not needed, although you might want to look at getting a key scrambler extension for your browser just to be on the safe side.

[Anthonyd]

You probably have a keylogguer installed on your PC.

edit: Or you got fished.

Or you are using the same password everywhere, which is plain stupid.

[dancedar]

Give your pc a thorough sweep with av and malware cleaners then switch to Gmail, turning on it's 2-step authentication. it sends an sms code you have to enter in addition to your password when accessing from a new device/app. Your password could be guessed but they'd need your phone as well to access your account.

[+BudMan MVC]

what seems odd is you say in your offline copy of sent you saw spam sent. Was this email sent from your pc, or was it synced down from email sent via the web? If from the web, how did you get a copy because I would have to assume first thing would happen is password change vs just sending spam right away.

So the timeline of your account be accessed would be good to know in trying to figure out the method of their access. Was your machine infected, or was it just a simple brute/guess on the web. 8 characters is not really very secure..

for example my neowin password is 20 random characters using all four Ab1^ etc..

[Kosh Naranek]

Download TDSSKiller from kaspersky (it's free) and run that as well.

http://support.kaspe...s?qid=208283363

[Mockingbird]

I am going to guess that it is a phishing attack.

[bgjerlow]

Scanning your PC would be a good idea. It's always a good idea to do this at least a couple of times a week.

Sounds like a phishing attack though, so you shouldn't be worried about having to reinstall Windows.

[BeerFan]

First, thank you for all of the input! Multiple full scans with MSE, MalwareBytes and the rootkit detector described below have all come up clean. (Y)

You've got to be kidding me?!

Wow!

A WHOLE 7 months since last install? What the heck do you do for a living, TRY to ruin computers?!!

I have 8 Windows 7 machines that have NEVER been reinstalled and are as clean and fast as the day I installed 7, which was a couple days after it came out. Never have been able to figure out why so many people, here especially, are always suggesting format and do it so often?

If you must and are THAT paranoid, just do a thorough scan with Malwarebyts, your AV and what ever other malware program you have, in safe mode.

Ditch that crap a** not so hot, Hotmail also. Easily one of the worst e-mails in existence!

Opinions on email providers are great and all... but what I was looking for was technical reasons to support taking one action or another. But since you mentioned it, i'll add that I've had my Hotmail account since 2001, and receive only a couple of spam messages per week. I signed up for a new Gmail account several years back, and that one was immediately inundated with spam. It continues to receive i'd guess around 20 per day.

Also, my last reinstall of windows 7 was due to a hard drive crash. I completely agree that reinstalling 7 is needed vastly less frequently than on previous Windows OS's. But the days of XP and early Vista trained me to keep data separate from OS / program locations, so a reinstall is really not a big inconvenience for me.

Only way to be sure he is rid of the infection. ;)

BTW, read my sig ;)

I see your point, but what hard evidence is there to support an infection? My only symptom so far has been the password change and spam message sent. That all could easily have been done from the Hotmail site, right?

Have you got anything attached to that account? I'm thinking specifically of an Xbox LIVE account?

If yes, do you have any EA games for which you've had to sign up for the EA online account rubbish?

No XBox Live account. But I do have Battlefield 2 and 3 player accounts tied to my Hotmail address.

At OP: Sounds like you covered your bases pretty good there.. and as for the password hack, I really couldn't tell you how that happened! :s

A reinstall of Windows is probably not needed, although you might want to look at getting a key scrambler extension for your browser just to be on the safe side.

I haven't yet heard of a key scrambler extension, although I will look into it. I'm assuming that is an anti-keylogger measure of some sort?

You probably have a keylogguer installed on your PC.

edit: Or you got fished.

Or you are using the same password everywhere, which is plain stupid.

If my system is fully updated and AV protected, plus I don't go around installing crap I don't know is safe, how would a keylogger make it onto my system? Nobody but me has physical access to my office PC.

Phishing requires me sending my info to somebody, right? Believe me, I've received my share of phishing requests, and I've laughed at every one. I'm not going to fall for a nicely-formatted email or website asking me to input my account info.

Also, I've never truly understood the logic behind the argument against using the same password everywhere. If the password is a complex and secure one, what is the added risk in using it at multiple sites or services?

what seems odd is you say in your offline copy of sent you saw spam sent. Was this email sent from your pc, or was it synced down from email sent via the web? If from the web, how did you get a copy because I would have to assume first thing would happen is password change vs just sending spam right away.

So the timeline of your account be accessed would be good to know in trying to figure out the method of their access. Was your machine infected, or was it just a simple brute/guess on the web. 8 characters is not really very secure..

for example my neowin password is 20 random characters using all four Ab1^ etc..

Very good point. I didn't think about the Sent folder needing to sync. I use Windows Live Mail for accessing my Hotmail account from my home PC, a Hotmail app for Android on my mobile, and the Hotmail site from anywhere else. Is there a way to determine the source of the sent message? Like you said, the only way i can see the sent spam message showing up in my Sent folder of my WLM program at home is if the spammer sent it before changing my PW, which i agree does seem odd.

As for timeline, I know that the sent spam message went out at 4:48am on the 11th, according to the message in the Sent folder. I had my account recovered by about 5:30am on the same day (yes, I wake up early - can't help it!)

Download TDSSKiller from kaspersky (it's free) and run that as well.

http://support.kaspe...s?qid=208283363

Done and thank you! No rootkits detected.

I am going to guess that it is a phishing attack.

Out of curiosity, any evidence to support that? Like I mentioned above, I'm not easily fooled by attempts to solicit my info. I'm mildly paranoid, i suppose.

Scanning your PC would be a good idea. It's always a good idea to do this at least a couple of times a week.

Sounds like a phishing attack though, so you shouldn't be worried about having to reinstall Windows.

Scanned it a few times now with multiple tools, and no infections found. I'll admit i was secretly hoping to find an infection, just so that i could have a potential explanation for this madness.

[+BudMan MVC]

"Is there a way to determine the source of the sent message?"

You should be able to look at the full headers of the message, also have one of the people that got the message send you the full headers. Should tell you if sent from the web or your client. I have to assume it was web sent -- makes more sense then software infection using the local client to send email these days. Just not really done that way anymore.

Now how did the get your password is the question -- maybe a keylogger? Or just random luck/brute against your account web. I don't use hotmail -- do they tell you like gmail where you have last been accessed from, etc.

If you can not find anything with scanning -- fire up a sniffer and check to see that your machine is not making any connections anywhere or sending info, etc. Infections can hide from scanners - but they can not hide what they do on the wire ;)

[Anthonyd]

Also, I've never truly understood the logic behind the argument against using the same password everywhere. If the password is a complex and secure one, what is the added risk in using it at multiple sites or services?

There we go, here is why your email account got "hacked".

When you register on a website, you provide and username/email and a password. This password is stored on a database which belong to the website owner.

You are assuming that the website owner crypt&salt the password so we can know what you have to type on the keyboards as password. But many times the password is plain stored, which means that anybody who has acces to the database (website owner, hackers) can read your password, and use it anywhere else.

If you have followed the news since the last couples of month, you have probably seen many website hacked (sony, square enix, epic games, and so on). Some on thoses website didn't stored the crypted password but the plain password, and if you didn't change your password, then hackers used it on hotmail (since you registered on thoses website with an email, they know where to use it).

So yeah, maybe you dont' have any malware on your PC, but used the same password everywhere and it's a big mistake. Also they probably have access to all your accounts since you can get an email to reset/get your password on some website.

As usuall, I recommend to use one password for your email adresss, and 2/3 passwords on others website.

Finally, I recommend you to use keypass which is a password manager. It will help you to generate very complicated and unique password for every website. And he will remember the passwords for you :)

[Kenji]

Finally, I recommend you to use keypass which is a password manager. It will help you to generate very complicated and unique password for every website. And he will remember the passwords for you :)

I use this. Just be sure to make a backup, I learnt this the hard way but was able to recover my gmail password, in turn able to reset the passwords i had lost.

[BeerFan]

Here's the contents of the message source. All i see that looks odd is the unfamiliar Nigerian "X-Originating-IP", but i'm not sure i know where to look.

Message-ID: <BAY157-W105E673413D19DDCC02249C49E0@phx.gbl>

BCC: snip

Content-Type: multipart/alternative;

boundary="_12039688-60b1-422a-b494-a3be65a63b4e_"

X-Originating-IP: [41.138.185.171]

From: snip

Subject: Vacation Issues!!!

Date: Wed, 11 Jan 2012 04:48:37 -0600

Importance: Normal

MIME-Version: 1.0

--_12039688-60b1-422a-b494-a3be65a63b4e_

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

I have no other option than to write and call out for help=2C I am in a ter=

rible situation at the moment as I was robbed here in Madrid=2CSpain. I cam=

e down here on vacation with my family and we encountered this traumatic in=

cident=2C I have had an experience of such 3 years back when my wallet was =

picked off my pocket at the train station which has my ID and Credit Card i=

n it but this time=2C it's much worse as I lost all cash=2C credit card=2C =

my phone which I have with me for the vacation and my bag. It's a terrifyin=

g experience as I'm open to less opportunities right now=2C the good thing =

is that I still have my passport. I already filed a report to the police an=

d the embassy have been copied too but I don't see funds forth coming and w=

e might just still be stuck here. Please I need you to loan me 1850euros=2C=

I will pay you back right as soon as I'm back home. Kindly email me and le=

t me know if this is possible so I can give you the wiring instructions via=

Western Union . Looking forward to your email.

Regards -Brian

=

--_12039688-60b1-422a-b494-a3be65a63b4e_

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

[BeerFan]

There we go, here is why your email account got "hacked".

When you register on a website, you provide and username/email and a password. This password is stored on a database which belong to the website owner.

You are assuming that the website owner crypt&salt the password so we can know what you have to type on the keyboards as password. But many times the password is plain stored, which means that anybody who has acces to the database (website owner, hackers) can read your password, and use it anywhere else.

Finally, I recommend you to use keypass which is a password manager. It will help you to generate very complicated and unique password for every website. And he will remember the passwords for you :)

Ok, thanks for the info and suggestions. In that light, I suppose i can see how using the same password on a completely insecure website could lead to the compromise of login info to a much more secure site. I'll look into KeePass.

[BeerFan]

Since the topic of SPAM came up, I decided to create an additional email account just to see what happened. So, I created a brand new Hotmail account, and did not use it at all. Within an hour or so, it received a phising attempt spam email.

How does that happen so fast?

[+BudMan MVC]

"How does that happen so fast?"

Because they send to random@populardomain.tld

So depending on what name you used -- say you used billy14, its prob going to get spam more and faster than lsdjflsjdflfdlsfj4y2y32@hotmail.com, etc.

Would of liked to have seen the FULL headers with where it got sent, etc. But yeah that orig ip being from

address: Victoria Island

address: Lagos Nigeria

address: Lagos

address: Nigeria

Points to being a webbased hack, if they had actually sent the email from your computer - then it wouldn't of shown their ips at all. Just yours in the email headers. So the email did not actually come from your box, so your client pulled the email down from your account. So at some point they had sent mail before changing the password, etc.

Did I read it right you use the same password on more than 1 website?? Yeah that is really really BAD practice!!! Especially if other accounts point to your email address. If you want to use password1 on multiple websites -- ok depending on the type of site might not be that big of deal, but password1 should clearly not be the password you use on the email account you register with that website ;)

[Royalty]

Had my Gmail hacked last night. WTF!

[BeerFan]

Your computers are most likely fine, you just got tricked into a phishing site, or your password is/was password.

Neither of the above. Clearly you didn't read the whole thread, but thanks for your comment anyway.