Yesterday, April 5th 2009 at approximately 4:30pm (BST), several messages were sent from my HoTMaiL account to every single one of my MSN contacts. Luckily, this account is long-dormant – but unfortunately, Windows Live operates a shared list of contacts between Mail and Messenger (which I do still use, for my sins).
The message test was:
Great shopping for you!
i would like to introduce a good company who trades mainly in electornic products.
Now the company is under sales promotion,all the products are sold nearly at its cost.
They provide the best service to customers,they provide you with original products of
good quality,and what is more,the price is a surprising happiness to you!
It is realy a good chance for shopping.just grasp the opportunity,Now or never!
The URL that followed was from the following domain:
Domain Name: DTPLAZA.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: NS1.DNS.COM.CN
Name Server: NS2.DNS.COM.CN
Status: clientTransferProhibited
Updated Date: 28-mar-2009
Creation Date: 28-mar-2009
Expiration Date: 28-mar-2010
… which was only registered 8 days prior to this email being sent. It appears that many other people have been having similar issues for days, though:
5 people having been hit since 9th March;
3 people having been hit since 26th March;
24th February (same message with a different URL);
26th March (same message with a different URL).
Other occurences in mailing-lists are here and here.
Worryingly, here is a spam blog post… did this user have the ability to create posts via email turned on, or is even more of the Live infrastructure compromised?
I believe that this must be a vulnerability within the Windows Live infrastructure: My mail account was unused, me having not logged in to it for months. I do use MSN Messenger and did start Windows 7 over the weekend which caused Live Mesh to update – both of which use the same login data. The password on the account was strong and not dictionary-based, and I haven’t used any public terminals or unsecure Wifi connections recently – and probably not for Microsoft services for several years.
I can therefore only see three possibilities for the cause of this:
- Some organisation has the capability to crack Windows Live passwords en-mass
- This is the most unlikely scenario, as the time needed to crack even a small number of weak dictionary-based passwords is enormous. Additionally, you’d hope that there would be rate-limiting mechanisms on login infrastructure to prevent an attacker spamming possible passwords at the maximum rate the network allows. Hopefully this rate-limiting isn’t source IP address based, as in today’s world of pervasive botnets, each individual machine need only send a small number of requests to cover large chunks of password dictionaries. I have checked such dictionaries for my password, though, and it isn’t listed.
- MSN Messenger has a login vulnerability
- If Messenger were vulnerable to a man-in-the-middle or replay attack, then an attacker would already have the login name (the user ID) and could potentially gain the account password. This would be a major hole in such a widely-used service, and would explain how my particular low-usage account could have been compromised. This option is troubling as it would give full access to all account data to an attacker. They could also change secret questions and follow linked accounts, probably trying the same password against these accounts. If this is the case, then the only solution until such a vulnerability is confirmed by Microsoft and fixed is to stop using the MSN Messenger protocol (as my work usage of MSN, the only significant use of this login information, is through the open-source Pidgin application).
- The Windows Live infrastructure has a vulnerability
- This is probably the most disturbing option, given the number of different ways in which Microsoft have tried to push what were originally HoTMaiL email account names as a form of universal ID. The silver lining is that the security model may not be blown-open, and it may only be facets which can be accessed by an attacker. For example, an attacker may be able to view the contacts list and send email, but may be unable to view other details or change passwords. This view would be supported by the fact that none of the people reporting having had spam send from their accounts has been locked-out of Live Mail… surely, if you’d expended a lot of time or effort to crack a service that you then had full control over (as any of the above options would imply) then the first thing you’d do is change the password to lock-out the owner whilst they work out how to get these details reset. Given that anyone inadvertently sending spam will likely find out this situation from contacts fairly quickly, this doesn’t seem to disclose any additional information. At the same time, many users may be unsure as to what they are able to do to resolve the situation, and so the attack may simply rely on affected people doing nothing, whereas an account lock-out prompts action.
My hunch is that the situation is described by the third option above: Other than Messenger, I make no use of other Windows Live services and haven’t for months – this suggests an attack against the Live infrastructure directly. The only question is then of what level of access an attacker gains: can they read the existing password? If not, then there will be a lot of spam going around until Microsoft fix the problem. If so, then all Microsoft IDs and all data associated with them are compromised, and these accounts should be closed immediately.
What needs to happen is for Microsoft to go public about this problem, how wide-spread it is, what information is compromised, and what they are doing about it. Until then, all Microsoft services should be approached with utmost caution.
April 7th, 2009 at 7:54 am
Unfortunately, it looks as if this is the most I’m going to get in terms of resolution:
April 8th, 2009 at 4:45 pm
this same thing happened to me! any idea on how to fix it???
April 8th, 2009 at 10:49 pm
Microsoft seem to be intent on making no form of admission that there’s any sort of problem – and if they don’t tell people how the problem has occurred, there’s no way for anyone to protect against it.
All I can suggest is to migrate to a different email and IM provider… not necessarily immensely practical, but with Microsoft unresponsive it’s the only way to be safe.
April 11th, 2009 at 5:09 am
This also happened to me 3 days ago. I still use my hotmail account twice a week or so, but don’t use messenger or IM.
Thanks for your info/blog on this.
April 11th, 2009 at 10:16 am
Interesting… that would seem to rule out the second option above. And for my part, I only use Messenger.
Since cracking this number of passwords around the same time seems highly improbable, this would strongly suggest that there is some vulnerability in the Windows Live infrastructure which either allows access to accounts bypassing the login mechanism, or allows access to account passwords.
The most worrying aspect is whether the attacker can then view all account information, passwords, mail, etc. – or whether they’re limited to address-book access and sending messages only?
May 19th, 2009 at 7:53 am
It’s happened again. A poorly phrased sales pitch for electronic goods from a complete cretin has been sent on my behalf to all my hotmail contacts. I have advised Hotmail, but feel concerned about the regularity of this issue. Have you encountered anything similar since?
May 19th, 2009 at 8:56 am
Hi Susan,
I share your pain on this one – all attempts to get any sort of answer from the Windows Live support service has been met with silence of a stock reply.
Did you change your password when your account was compromised the first time? Did you choose a strong replacement?
If so, then the fact that the system has been compromised again so quickly would suggest to me that it isn’t that passwords are being cracked, but that there is some form of vulnerability whereby accounts can be accessed without a password, or whereby passwords can be discovered by a third-party.
Until Microsoft acknowledges the problem, there’s little can be done save for closing the Windows Live Mail account itself, and moving to a different provider.
June 29th, 2009 at 12:03 am
Hi Stuart,
A bit of interesting news for you. The same thing happened to me and Microsoft are stonewalling the issue. Their terms and conditions come uner the TRUSTe European Safe Harbour agreement and they belong to the scheme. Microsoft also subscribe to the data protection act in the UK. I am a UK citizen and I am registered with Microsoft in the UK. Microsofts terms and conditions point out that they may share your information with other Microsoft subsiduries and affiliates outside your country. That means means that the information is accessable from any point in the world by any one of their subsiduries are the material has been passed through them through the network. Important issue, the laws in which the country you are registered apply and you should seek that route. Microsoft are discriminating against non US citizens and cannot be allowed to do so. I have made an official complaint with the ICO in the UK and TRUSTe stating that they are in breach of the privacy agreement and in my case UK law prevails over US law. The ECPA is a get out clause for something for covering their backsides and I am willing to take it all the way My account was accessed and all I wanted to know what was viewed and downloaded from the IP in China and how the account was accessed. Gues what, they asked me to sent an email with personal information on it.. There is a serious problem and the proverbial is about to hit the fan. I have a few more days toi go befoore the legal dealine runs out. Keep watching.
Oh and I had adaware, spybot and AVG running when it happened, no dodgdy sites, cookies or emails were received. Microsoft are running scared and want to make a federal case out of it.
Later
MD
June 29th, 2009 at 12:34 am
P.S.
Pass this on to as many people as possible. Microsoft needs to learn that being an internation company means international laws apply, not just the US laws, laws in every country in which they or their agents operate. If you have a problem with data and microsoft, make the demand through the local office in your country of residence or citizenship, once this has been done, the laws of data pertaining to that country apply regadless of what Microsoft say. Good Luck
June 29th, 2009 at 8:26 am
Hi Stuart
Got hit by trojan email this morning with a lik to a company in China. IP address was in Westfield New Jersey. Antivirus altered the problem in Live Mail but I could not delete it. Problem, I managed to delete it via the site, but no warnings or flags I forwared it to Microsoft for them to examine with all the source code but it freaked out Live Mail again when it synced. and I had to delete it from my on site sent box. I shall be monitoring my account once more and this looks like another vunerabilty incident that needs to be resolved
Later
MD
July 7th, 2009 at 6:25 am
Hi Stuart
Microsoft are backing down and are entertaining my request for the moment. I received an eleventh hour telephone call from a UK escalation specialist from the response management team, they have asked for a little more time and I have given them an initial 48hrs in agreement with the ICO in which they must give a realistic time for the delivery of information. So let’s see what happens next.
Later
Mark
July 7th, 2009 at 7:11 am
Wow, great job in actually getting a response out of them Mark – keep us updated!
July 10th, 2009 at 12:41 pm
Hi Stuart,
Just had a conversation with the UK specialist, their legal department has the matter in hand but has failed to respond. They have been given until the end of today to respond with a time period or issue a notice for the decline of request. If they do not respond with a time period or decline the request, the pursuance of the complaint will be made on Monday’s start of business. I have a contingency plan running along side, but those details will be held back for the time being as it is always best to keep a few cards up your sleeve.
Regards
Mark
July 10th, 2009 at 10:59 pm
Hi Stuart
Microsoft UK legal has not responded, I am proceeding with the complaint with the ICO, what they will now realise is that I don’t bluff and will sink my teeth in and won’t let go. I have given Microsoft UK 40 days to supply every bit of information they hold on me under the data protection act on top of my original hotmail request.
Regards
Mark
July 12th, 2009 at 9:22 pm
Hi Stuart
If anyone has been a victim of their hotmail account being compromised, make the complaint initially through the website and as soon as you get a response send the following message in reply and most important of all include the following email address. csfeed@microsoft.com (contact from hotmail support), I (your name) request that you disclose the following information relating to myself under the data protection act 1998 and under the act you have 40 calendar days in which to comply. If you require any further verification of my identity I will do so by post to the UK offices only, however it does not give reason for not compiling the information requested.
Sincerely
If they come back with the ECPA tell them it does not apply as you are a UK resident and that request is discriminatory further more you will not extend the deadline and give the date.
Reagrds
Mark
July 17th, 2009 at 4:33 pm
Good News everyone
I have spoken to Microsoft once more and they are compiling my data. They want to continue discussions regarding procedures for complaints handling for UK Hotmail customers and realise there is a gap in customer service procedures in this respect and dealing with data protection requests. Proof is in the pudding, we shall wait and see
Regards
Mark
October 6th, 2009 at 11:15 am
Phishing attack targets Hotmail [BBC News]
Hmm… “phishing attack”, eh?
More here – although I suspect the latter really is from phishing.
There’s a problem here – publishing the list (account names only, obviously) allows affected users to discover that they’re compromised, but also gives a list of valid accounts to ne’er-do-wells. Immediately taking the list down, though, doesn’t allow people to check whether they’re affected – and I’ll bet that most people won’t bother to change their passwords if there’s not a proven need.
Perhaps what’s needed is a two-password system and allowed IP list. If you’re connecting from a previously-allowed IP address, then either cookies are used to automatically log in or the primary password is accepted. However, if the connecting IP address isn’t pre-vetted (or even is outside of the home county/state/country/continent using geo-IP services) then auto-login with cookies is disallowed, and the secondary password has to be entered after the primary password is authenticated. Users could even have the option to disallow connections from non-vetted IP addresses until confirmed with a second factor… perhaps SMS confirmation, a smart-card, or a RSA-type token.
So long as the service doesn’t already leak like a sieve (and yes, I’m looking at Microsoft here) then this dual-authorisation system should give significant additional protection.
Just think of the economies of scale possible with a user-base the size of Microsoft’s or Google’s – either could offer a subsidised token to customers for little or no cost. There’s lots of issues around logistics and handling lost/replacement hardware – but, especially for Google with its Checkout service, the ability to roll out two-factor authentication universally would have to be a huge advantage over competitors such as Paypal.
January 7th, 2010 at 9:20 pm
[...] to emulate, so that’s not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers — and [...]
January 7th, 2010 at 11:33 pm
I’m a tech consultant (architect/dev/analyst), and I’m fairly certain I’d have spotted phishing in an instant. I haven’t had any instances of malware/spyware/virus/worm in over five years now. I rarely use my hotmail account. I might log onto it once every few months and only because it’s linked to an account or two I occasionally use. I don’t use MSN Messenger. Last time I checked it, I found that a friend emailed me asking if I was advertising electronics. I checked my sent items and, sure enough, there were spam messages to my contacts and then some. I didn’t think to check my autoreply until I read a Slashdot article. It started not that long ago.
I think you’re right. They didn’t get it through a keylogger or phishing scam. My password is not dictionary-based and I used numbers and mixed case. That tells me they have a rather sneaky method, whatever it is. I’m inclined to think it’s within Windows Live.
That it’s still occurring tells me just how much Microsoft cares about it.
April 27th, 2012 at 9:19 am
Microsoft patches major Hotmail 0-day flaw … ’nuff said.