The anatomy of a Hotmail phishing attack

Phishing schemes have become increasingly more common these days and, as we have seen over the past couple of days, can come as a big shock to the general public who are not aware of the concept of these scams and therefore not aware when they are falling for one.

As has been confirmed today, phishing attacks are wide-spread across many different webmail services - such as Hotmail, Gmail and Yahoo! Mail - but they can also be designed to fool users of social networking websites and even trick people into handing their bank details over to complete strangers.

The problem with most phishing scams is that they are so well designed that even the most web-savvy users can fall for them. The emails that are sent look genuine and the webpages that they link to also look legitimate, in both their design and URL.

Here is a real example of a phishing email recently sent to some Windows Live Hotmail users:

Obviously the main flaw with this email is that the encoding is set to Arabic and the text is therefore shown formatted right-to-left instead left-to-right. However, look closer and you will see many of the tricks of phishing emails.

The email says that it is from Microsoft Customer Support, something that many would easily believe. For those that might want further proof, the email says that it is from (the "postmaster" address is very commonly used to identify the administrator of any email server). Both of this tricks have been used to make the email appear genuine and, along with the subject of An important message for your email, encourage the recipient to open the message.

So now that you may have been tricked into opening the message, let's look at the content. The text is written in a very simple style to make it easy to read and to match the style of writing that an authentic message form Microsoft might use. The Windows Live logo is included as most Hotmail users will be familiar with it and the brand so will be more trustworthy of the writing that is to follow. The image itself is actually a file that is hosted on the Microsoft servers and used by the company in other correspondence. It can easily be embedded anywhere, as you can see below:

The message talks about how the reader "must configure" their account which will encourage them to follow the instructions included, making them subconsciously scared of any bad consequences - such as having their account closed or deleted - if they do not. The text says there should be a code included in the email and, because it is not there, many readers of the message will think there is some problem that can be solved by clicking the link - which is the only other prominent thing in the email - so will be more likely to do so.

The text of the link is the URL of Windows Live Account, a genuine Microsoft website where you do actually configure your account. The URL even has parameters attached to make it look more legitimate, with a standard mkt used on many Windows Live URLs (which in this case is defined as EN-EN, the English language being something that would apply to anyone reading the message as it is written in English) and a random alphanumeric string which looks like it would be a specific ID that applies only to the recipient and reader of the message.

To make the message look even more real, it ends with a jovial message and a standard copyright message, referring to Microsoft to again draw up any trust that you might have in the brand.

As with the vast majority of phishing messages, actually clicking on the link in the email loads up a different URL to that which is written out. In this case it leads us to:[domain removed].com/

Compare this with the official login page for Windows Live Account:

At a quick glance they look very similar. Both contain the phrases, login.srf, wsignin and aspx along with seemingly random strings of numbers. The thing to notice is that the official login page is on the login subdomain of whereas the URL that the email pointed to features many subdomains, meaning that the actual domain that the page is hosted on is hidden in the middle of the address.

This is a problem that web browsers are trying to solve, with many including filters to warn you of when you are on a suspicious website. Internet Explorer 8 also introduced domain highlighting to make it a lot clearer which domain you are actually on.

Looking at the contents of the bogus page shows that the layout is exactly the same as a slighter older version of the current standard Windows Live ID login screen. As in the email, the images shown are actually hosted on Microsoft servers. Due to the familiarity of the page, people will not think twice about entering their login details as they would do on the genuine login screen. The difference here is that when you click the Sign in button, instead of logging you in to what you expect it actually submits your details to the phishers and then reloads the same page. Many will probably then just try again, which will actually allow the phishers to confirm your details and check that you typed your email address and password the same each time.

After eventually giving up trying to login on the fake website, many people would still be none the wiser that they had just handed over their email address and its associated password to fraudsters. Not only does this allow them to access your emails or use your account to send spam, but - once in your inbox - they can get any personal details that you may have in your messages, such as your bank or PayPal accounts, and leaves you wide open to threats ranging from identity theft to credit card fraud.

If you are concerned that you may have been caught up in a phishing scam on your Hotmail or Windows Live account then take a look at the advice from Microsoft, or find out how to help protect yourself from these difficult to spot scams.

Report a problem with article
Previous Story

Updated: Microsoft announces availability of Windows phones

Next Story

Modern Warfare 2 PC delayed, new trailer released


Commenting is disabled on this article.

"Oh, and there is no such thing as a "who blocked me on msn" service,"

i guess thats what you get when a msn user is a paranoid freek who crys like a baby when some one blocks them.

the real problem is, it doesn't matter how genuine the mail looks, a company is never going to send you a mail asking to do some registration process unless YOU specifically did something to trigger it. If every internet user would finally get this in their head the world would be a much better place ;)

Oh, and there is no such thing as a "who blocked me on msn" service, it's a fishing attack, spread the news and humanity will be better of

I'm surprised anyone can even make out whats being said in order to get scammed? "Enter to the URL representing this message". Seriously....WTF? People must have just clicked it willy nilly.

We need an equivalent of the old 'mail-brick' solution used for junk snail-mail.

When someone receives an unwanted junkmail item they simply tape a brick to the item and write 'Not at this address' on it. The Post Office is then legally obliged to return the mail item - with attached brick - to the sender. They are not allowed to remove the brick. The sender then has the expense of paying for the postage of the brick. A serious financial disincentive even if only a few hundred do it.

If we could do something like this with spammers and phishers it would be great.

Someone should start spamming the spammers, ie. input a whole lot of fake username/passwords so it makes it a lot harder to distinguish which are legit and which are not. Fight fire with fire!

Thanks for the notice. I would like to laugh at people that still believe this is only a Windows Problem, and they actually think that it will not affect Mac or/and Linux OSes.

Believe me, there are lots of people who do that.

That's why phishing is still the general attack that receives people nowadays.

The first things that scream to me from that email:
1. There are awkwardly worded sentences
2. The page is aligned right with punctuation in strange places (to the English language)

If I were to get that e-mail, I would have instantly said "Something isn't right" and deleted it. I seriously don't get the people that fall for that crap.

I found the the pastebin google cache thanks to the bbc's footage showing a few emails form the list.


The list is still going around all the pastebin sites. Anyone who's anyone can get access to the list within seconds.

Mr Dan said,
Yeah but 4channers are real *******s with it comes to stuff like this :/

Not really, Microsoft has blocked access on all the e-mails.

Hmm..I feel sick of these scam emails....
Just while reading this post, i got an email...It asked for my username/pwd etc...

I gave the user name as the same where it came from...( and sent the following attached email..

But many people around here, still think many of these emails as real & they send there password with correct D.o.B too :-(

I thought replying to spam is a bad idea because it tells the spammers/systems that your email is an active account? (Depending on the type of spam I guess)

I just delete the stuff or throw it into the junk folder so the email address gets flagged

If you start counting people least panicked for this attack - I'll be in the very 1st lines, I think.

Anyway - the problem is major & you have to admit that.
NOT ONLY : people respond to phishing mails & provide correct details
BUT ALSO : the password (from the leaked list) carries a great pattern for those who cares for it.

Most of the UK residents' password bears "beatles" or similar UK based obsession keyword. US based ID's carry love & looser things & Mid-Europe includes god/satan disorders (even after 10+ years of the movie "Hackerz"). Only Latin americans' are a bit innovative in their own special way. :P

In my opinion, the most prominent reason of PHISHING attack is - cryptic & long login urls.
& its time to direct to users to & get all the data through POST removing complexity (from users' end).

Deathray said,
I thought replying to spam is a bad idea because it tells the spammers/systems that your email is an active account? (Depending on the type of spam I guess)

I just delete the stuff or throw it into the junk folder so the email address gets flagged

Ya, true...