The anatomy of a Hotmail phishing attack

Phishing schemes have become increasingly more common these days and, as we have seen over the past couple of days, can come as a big shock to the general public who are not aware of the concept of these scams and therefore not aware when they are falling for one.

As has been confirmed today, phishing attacks are wide-spread across many different webmail services - such as Hotmail, Gmail and Yahoo! Mail - but they can also be designed to fool users of social networking websites and even trick people into handing their bank details over to complete strangers.

The problem with most phishing scams is that they are so well designed that even the most web-savvy users can fall for them. The emails that are sent look genuine and the webpages that they link to also look legitimate, in both their design and URL.

Here is a real example of a phishing email recently sent to some Windows Live Hotmail users:

Obviously the main flaw with this email is that the encoding is set to Arabic and the text is therefore shown formatted right-to-left instead left-to-right. However, look closer and you will see many of the tricks of phishing emails.

The email says that it is from Microsoft Customer Support, something that many would easily believe. For those that might want further proof, the email says that it is from (the "postmaster" address is very commonly used to identify the administrator of any email server). Both of this tricks have been used to make the email appear genuine and, along with the subject of An important message for your email, encourage the recipient to open the message.

So now that you may have been tricked into opening the message, let's look at the content. The text is written in a very simple style to make it easy to read and to match the style of writing that an authentic message form Microsoft might use. The Windows Live logo is included as most Hotmail users will be familiar with it and the brand so will be more trustworthy of the writing that is to follow. The image itself is actually a file that is hosted on the Microsoft servers and used by the company in other correspondence. It can easily be embedded anywhere, as you can see below:

The message talks about how the reader "must configure" their account which will encourage them to follow the instructions included, making them subconsciously scared of any bad consequences - such as having their account closed or deleted - if they do not. The text says there should be a code included in the email and, because it is not there, many readers of the message will think there is some problem that can be solved by clicking the link - which is the only other prominent thing in the email - so will be more likely to do so.

The text of the link is the URL of Windows Live Account, a genuine Microsoft website where you do actually configure your account. The URL even has parameters attached to make it look more legitimate, with a standard mkt used on many Windows Live URLs (which in this case is defined as EN-EN, the English language being something that would apply to anyone reading the message as it is written in English) and a random alphanumeric string which looks like it would be a specific ID that applies only to the recipient and reader of the message.

To make the message look even more real, it ends with a jovial message and a standard copyright message, referring to Microsoft to again draw up any trust that you might have in the brand.

As with the vast majority of phishing messages, actually clicking on the link in the email loads up a different URL to that which is written out. In this case it leads us to:[domain removed].com/

Compare this with the official login page for Windows Live Account:

At a quick glance they look very similar. Both contain the phrases, login.srf, wsignin and aspx along with seemingly random strings of numbers. The thing to notice is that the official login page is on the login subdomain of whereas the URL that the email pointed to features many subdomains, meaning that the actual domain that the page is hosted on is hidden in the middle of the address.

This is a problem that web browsers are trying to solve, with many including filters to warn you of when you are on a suspicious website. Internet Explorer 8 also introduced domain highlighting to make it a lot clearer which domain you are actually on.

Looking at the contents of the bogus page shows that the layout is exactly the same as a slighter older version of the current standard Windows Live ID login screen. As in the email, the images shown are actually hosted on Microsoft servers. Due to the familiarity of the page, people will not think twice about entering their login details as they would do on the genuine login screen. The difference here is that when you click the Sign in button, instead of logging you in to what you expect it actually submits your details to the phishers and then reloads the same page. Many will probably then just try again, which will actually allow the phishers to confirm your details and check that you typed your email address and password the same each time.

After eventually giving up trying to login on the fake website, many people would still be none the wiser that they had just handed over their email address and its associated password to fraudsters. Not only does this allow them to access your emails or use your account to send spam, but - once in your inbox - they can get any personal details that you may have in your messages, such as your bank or PayPal accounts, and leaves you wide open to threats ranging from identity theft to credit card fraud.

If you are concerned that you may have been caught up in a phishing scam on your Hotmail or Windows Live account then take a look at the advice from Microsoft, or find out how to help protect yourself from these difficult to spot scams.

Report a problem with article
Next Article

Modern Warfare 2 PC delayed, new trailer released

Previous Article

Updated: Microsoft announces availability of Windows phones

25 Comments - Add comment