Jump to content



Photo

Hotmail account hacked. What now?

[security]

  • This topic is locked This topic is locked
27 replies to this topic

#16 OP BeerFan

BeerFan

    Neowinian Senior

  • Joined: 19-July 06

Posted 13 January 2012 - 11:21

First, thank you for all of the input! Multiple full scans with MSE, MalwareBytes and the rootkit detector described below have all come up clean. (Y)

You've got to be kidding me?!
Wow!
A WHOLE 7 months since last install? What the heck do you do for a living, TRY to ruin computers?!!
I have 8 Windows 7 machines that have NEVER been reinstalled and are as clean and fast as the day I installed 7, which was a couple days after it came out. Never have been able to figure out why so many people, here especially, are always suggesting format and do it so often?
If you must and are THAT paranoid, just do a thorough scan with Malwarebyts, your AV and what ever other malware program you have, in safe mode.
Ditch that crap a** not so hot, Hotmail also. Easily one of the worst e-mails in existence!

Opinions on email providers are great and all... but what I was looking for was technical reasons to support taking one action or another. But since you mentioned it, i'll add that I've had my Hotmail account since 2001, and receive only a couple of spam messages per week. I signed up for a new Gmail account several years back, and that one was immediately inundated with spam. It continues to receive i'd guess around 20 per day.

Also, my last reinstall of windows 7 was due to a hard drive crash. I completely agree that reinstalling 7 is needed vastly less frequently than on previous Windows OS's. But the days of XP and early Vista trained me to keep data separate from OS / program locations, so a reinstall is really not a big inconvenience for me.

Only way to be sure he is rid of the infection. ;)

BTW, read my sig ;)

I see your point, but what hard evidence is there to support an infection? My only symptom so far has been the password change and spam message sent. That all could easily have been done from the Hotmail site, right?

Have you got anything attached to that account? I'm thinking specifically of an Xbox LIVE account?
If yes, do you have any EA games for which you've had to sign up for the EA online account rubbish?

No XBox Live account. But I do have Battlefield 2 and 3 player accounts tied to my Hotmail address.

At OP: Sounds like you covered your bases pretty good there.. and as for the password hack, I really couldn't tell you how that happened! :s

A reinstall of Windows is probably not needed, although you might want to look at getting a key scrambler extension for your browser just to be on the safe side.

I haven't yet heard of a key scrambler extension, although I will look into it. I'm assuming that is an anti-keylogger measure of some sort?

You probably have a keylogguer installed on your PC.
edit: Or you got fished.
Or you are using the same password everywhere, which is plain stupid.

If my system is fully updated and AV protected, plus I don't go around installing crap I don't know is safe, how would a keylogger make it onto my system? Nobody but me has physical access to my office PC.

Phishing requires me sending my info to somebody, right? Believe me, I've received my share of phishing requests, and I've laughed at every one. I'm not going to fall for a nicely-formatted email or website asking me to input my account info.

Also, I've never truly understood the logic behind the argument against using the same password everywhere. If the password is a complex and secure one, what is the added risk in using it at multiple sites or services?

what seems odd is you say in your offline copy of sent you saw spam sent. Was this email sent from your pc, or was it synced down from email sent via the web? If from the web, how did you get a copy because I would have to assume first thing would happen is password change vs just sending spam right away.

So the timeline of your account be accessed would be good to know in trying to figure out the method of their access. Was your machine infected, or was it just a simple brute/guess on the web. 8 characters is not really very secure..

for example my neowin password is 20 random characters using all four Ab1^ etc..


Very good point. I didn't think about the Sent folder needing to sync. I use Windows Live Mail for accessing my Hotmail account from my home PC, a Hotmail app for Android on my mobile, and the Hotmail site from anywhere else. Is there a way to determine the source of the sent message? Like you said, the only way i can see the sent spam message showing up in my Sent folder of my WLM program at home is if the spammer sent it before changing my PW, which i agree does seem odd.

As for timeline, I know that the sent spam message went out at 4:48am on the 11th, according to the message in the Sent folder. I had my account recovered by about 5:30am on the same day (yes, I wake up early - can't help it!)

Download TDSSKiller from kaspersky (it's free) and run that as well.

http://support.kaspe...s?qid=208283363

Done and thank you! No rootkits detected.

I am going to guess that it is a phishing attack.

Out of curiosity, any evidence to support that? Like I mentioned above, I'm not easily fooled by attempts to solicit my info. I'm mildly paranoid, i suppose.

Scanning your PC would be a good idea. It's always a good idea to do this at least a couple of times a week.
Sounds like a phishing attack though, so you shouldn't be worried about having to reinstall Windows.

Scanned it a few times now with multiple tools, and no infections found. I'll admit i was secretly hoping to find an infection, just so that i could have a potential explanation for this madness.


#17 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 13 January 2012 - 12:25

"Is there a way to determine the source of the sent message?"

You should be able to look at the full headers of the message, also have one of the people that got the message send you the full headers. Should tell you if sent from the web or your client. I have to assume it was web sent -- makes more sense then software infection using the local client to send email these days. Just not really done that way anymore.

Now how did the get your password is the question -- maybe a keylogger? Or just random luck/brute against your account web. I don't use hotmail -- do they tell you like gmail where you have last been accessed from, etc.

emailact.png

If you can not find anything with scanning -- fire up a sniffer and check to see that your machine is not making any connections anywhere or sending info, etc. Infections can hide from scanners - but they can not hide what they do on the wire ;)

#18 Anthonyd

Anthonyd

    Neowinian

  • Joined: 07-May 06

Posted 13 January 2012 - 13:46

Also, I've never truly understood the logic behind the argument against using the same password everywhere. If the password is a complex and secure one, what is the added risk in using it at multiple sites or services?

There we go, here is why your email account got "hacked".

When you register on a website, you provide and username/email and a password. This password is stored on a database which belong to the website owner.
You are assuming that the website owner crypt&salt the password so we can know what you have to type on the keyboards as password. But many times the password is plain stored, which means that anybody who has acces to the database (website owner, hackers) can read your password, and use it anywhere else.

If you have followed the news since the last couples of month, you have probably seen many website hacked (sony, square enix, epic games, and so on). Some on thoses website didn't stored the crypted password but the plain password, and if you didn't change your password, then hackers used it on hotmail (since you registered on thoses website with an email, they know where to use it).

So yeah, maybe you dont' have any malware on your PC, but used the same password everywhere and it's a big mistake. Also they probably have access to all your accounts since you can get an email to reset/get your password on some website.

As usuall, I recommend to use one password for your email adresss, and 2/3 passwords on others website.

Finally, I recommend you to use keypass which is a password manager. It will help you to generate very complicated and unique password for every website. And he will remember the passwords for you :)

#19 Kenji

Kenji

    Rather Fruity..

  • Joined: 15-November 06
  • Location: .uk

Posted 13 January 2012 - 13:52

Finally, I recommend you to use keypass which is a password manager. It will help you to generate very complicated and unique password for every website. And he will remember the passwords for you :)

I use this. Just be sure to make a backup, I learnt this the hard way but was able to recover my gmail password, in turn able to reset the passwords i had lost.

#20 OP BeerFan

BeerFan

    Neowinian Senior

  • Joined: 19-July 06

Posted 14 January 2012 - 02:50

Here's the contents of the message source. All i see that looks odd is the unfamiliar Nigerian "X-Originating-IP", but i'm not sure i know where to look.

Message-ID: <BAY157-W105E673413D19DDCC02249C49E0@phx.gbl>
BCC: snip
Content-Type: multipart/alternative;
boundary="_12039688-60b1-422a-b494-a3be65a63b4e_"
X-Originating-IP: [41.138.185.171]
From: snip
Subject: Vacation Issues!!!
Date: Wed, 11 Jan 2012 04:48:37 -0600
Importance: Normal
MIME-Version: 1.0

--_12039688-60b1-422a-b494-a3be65a63b4e_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


I have no other option than to write and call out for help=2C I am in a ter=
rible situation at the moment as I was robbed here in Madrid=2CSpain. I cam=
e down here on vacation with my family and we encountered this traumatic in=
cident=2C I have had an experience of such 3 years back when my wallet was =
picked off my pocket at the train station which has my ID and Credit Card i=
n it but this time=2C it's much worse as I lost all cash=2C credit card=2C =
my phone which I have with me for the vacation and my bag. It's a terrifyin=
g experience as I'm open to less opportunities right now=2C the good thing =
is that I still have my passport. I already filed a report to the police an=
d the embassy have been copied too but I don't see funds forth coming and w=
e might just still be stuck here. Please I need you to loan me 1850euros=2C=
I will pay you back right as soon as I'm back home. Kindly email me and le=
t me know if this is possible so I can give you the wiring instructions via=
Western Union . Looking forward to your email.
Regards -Brian
=

--_12039688-60b1-422a-b494-a3be65a63b4e_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

#21 OP BeerFan

BeerFan

    Neowinian Senior

  • Joined: 19-July 06

Posted 14 January 2012 - 03:10

There we go, here is why your email account got "hacked".

When you register on a website, you provide and username/email and a password. This password is stored on a database which belong to the website owner.
You are assuming that the website owner crypt&salt the password so we can know what you have to type on the keyboards as password. But many times the password is plain stored, which means that anybody who has acces to the database (website owner, hackers) can read your password, and use it anywhere else.

Finally, I recommend you to use keypass which is a password manager. It will help you to generate very complicated and unique password for every website. And he will remember the passwords for you :)


Ok, thanks for the info and suggestions. In that light, I suppose i can see how using the same password on a completely insecure website could lead to the compromise of login info to a much more secure site. I'll look into KeePass.

#22 OP BeerFan

BeerFan

    Neowinian Senior

  • Joined: 19-July 06

Posted 15 January 2012 - 14:17

Since the topic of SPAM came up, I decided to create an additional email account just to see what happened. So, I created a brand new Hotmail account, and did not use it at all. Within an hour or so, it received a phising attempt spam email.

How does that happen so fast?

#23 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 15 January 2012 - 14:58

"How does that happen so fast?"

Because they send to random@populardomain.tld

So depending on what name you used -- say you used billy14, its prob going to get spam more and faster than lsdjflsjdflfdlsfj4y2y32@hotmail.com, etc.

Would of liked to have seen the FULL headers with where it got sent, etc. But yeah that orig ip being from

address: Victoria Island
address: Lagos Nigeria
address: Lagos
address: Nigeria

Points to being a webbased hack, if they had actually sent the email from your computer - then it wouldn't of shown their ips at all. Just yours in the email headers. So the email did not actually come from your box, so your client pulled the email down from your account. So at some point they had sent mail before changing the password, etc.

Did I read it right you use the same password on more than 1 website?? Yeah that is really really BAD practice!!! Especially if other accounts point to your email address. If you want to use password1 on multiple websites -- ok depending on the type of site might not be that big of deal, but password1 should clearly not be the password you use on the email account you register with that website ;)

#24 Eddie7

Eddie7

    Hallo... www.connectw.me

  • Joined: 01-December 11
  • Location: Sydney, Australia
  • OS: Windows 7 Ultimate
  • Phone: 1-800-CALL-ME-MAYBE

Posted 15 January 2012 - 15:28

Had my Gmail hacked last night. WTF!

#25 OP BeerFan

BeerFan

    Neowinian Senior

  • Joined: 19-July 06

Posted 15 January 2012 - 21:45

Your computers are most likely fine, you just got tricked into a phishing site, or your password is/was password.


Neither of the above. Clearly you didn't read the whole thread, but thanks for your comment anyway.

#26 killerninja

killerninja

    Neowinian

  • Joined: 15-June 11

Posted 22 January 2012 - 19:47

Neither of the above. Clearly you didn't read the whole thread, but thanks for your comment anyway.


do a golf ball tickle, works every time.

#27 jhendricks

jhendricks

    Resident One Post Wonder

  • Joined: 11-February 13

Posted 11 February 2013 - 21:16

I have the same problem. my hotmail account is blocked. when i login into my hotmail it says 'it looks like someone else might be using your account'. i changed my password but i am getting the same message. i also filled the questionaire and got a reply that i cannot verify my account since the details i filled are incorrect. i filled all the right details. i need my emails back, help !!!

#28 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • Tech Issues Solved: 13
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 11 February 2013 - 21:30

<<Thread Closed>>

Topic is from January 2012, please create your own topic for support instead of bumping one over a year old.