Become a Nerd Own A Region

  Blog main page

Windows LIVE email and password theft

In light of reduced SPAM as of late, I was somewhat surprised to see phishing and theft attempts as sophisticated as this come through to my inboxes today – at least one in each of my different email addresses, but all came from email accounts of friends on Facebook. I searched the major anti-virus and malware vendors as well as google and twitter and nothing turned up, so maybe I’m just one of the first to be hit. Here’s a message I received, and a similar one in each of my mailboxes:

A few other variations are as follows:
SUBJECT: Very good
BODY: Click here to read this message
SUBJECT: wooow
BODY: click here to see the attached video
In each case the “click here…” is hyperlinked to somethingrandom.l13.me and the URL also contains the actual email address of you, the recipient.
It appears the originator of this spam/phishing attack at the very least is validating email addresses of people opening the message.
I also tried checking Google’s SafeBrowsing service at this URL:
http://www.google.com/safebrowsing/diagnostic?site=l13.me
At the time of this writing, here is the result showing that it has not detected any malware on this site. I suspect this will change overnight:

In case some great SPAM researchers come across this article, here is the full RAW source (except my email address has been replaced with [email protected]):
Part 1 of 2:

Part 2 of 2:

If you choose to click on URL in the email itself, that’s when the spammer’s phishing attack begins, and will prompt you for your Windows Live username & password. Note that it is NOT live.com, however, which means you’re giving your username and password directly to the thief:

As you might expect, the domain itself (l13.me) was only registered a week ago, and has its real ownership disguised:

The same domain ownership disguise applies to videos4you.net where the phishing is actually hosted.
And finally, when I check to see where all the “click here to view this message” are being served from (somethingsomewhere.l13.me) they point to IP address 69.64.54.99 which is registered to Hosting Solutions International:

Naturally, I have advised the abuse email address of this clearly-malicious intent and hope to have a quick response. I don’t have any misgivings about how quickly the attacker can direct web traffic to a new host, or start generating spam with a newly-created domain elsewhere. The cat-and-mouse games just continue…
I just hope this anatomy of this particular SPAM message helps somebody somewhere avoid these types of traps, and perhaps we can all find a solution to cleaner and more productive email.
UPDATE #1:
IF you’re a victim, here is Microsoft’s article on what to do:
http://www.microsoft.com/security/online-privacy/phishing-scams.aspx#Victim

Comments

  1. David says:

    Thanks, you seem to have caught this early. In fact you seem to have the only analysis. This is a very through description and I have only one question (below).
    A family member got hit with this at work and I was trying to diagnose what happened. However, most of my links were sanitized before I could find out.
    Did you find out what is the delivery mechanism on the videos site? Active-X, JavaScript, Java, an exe file, something else? ( A friend indicated they’d received an infected zip file but I haven’t been able to confirm yet).
    Google still lists the site as safe. 🙁

  2. David says:

    As followup, (1) the person infected was in hotmail and reported no password was asked for. So in that case it may just spread spread directly. (2) Another recipient reported it was an infected zip and flk something or something flk. I know these aren’t 100% but there they are.
    I’d love to hear any followup on this.

  3. David says:

    I followed the links manually using some safe tools in a sandbox. After a bit of hopping around the delivery seems to pull in javascript from a couple of sites. I didn’t dive in deep enough to confirm what they do with the credentials when they get them but I suspect one of the named javascript procedures it pulled in does the job.

  4. You’re right David. The in-depth analysis I did was only on the first and last domain it hit. l13.me is right in the HTML email, and ultimately it lands on videos4you.net but it wouldn’t surprise me if there are domains in between that perform various functions.
    I was hoping this would be a jumping-off point for some researchers who would have honeypots and find all the variants.
    Thanks for your comments and feedback.

  5. Ulysses says:

    Mac OS X Mail caught two separate e-mails and sent them straight to my Junk Folder.
    These are the hidden URLs – I have replaced my e-mail with [email protected] and the initial :// is now COLONSLASHSLASH …
    x-msgCOLONSLASHSLASH22/c1mc5yof81g3fg.l13.me/[email protected]/lu3raszcxwdgeh9bc48keo_ViewMsg
    x-msgCOLONSLASHSLASH20/smupqavh36exw2.l14.me/[email protected]/6o1je9fshwup1djfbfemly_ViewMsg
    Thanks for the info about these suspicious e-mails 🙂 why don’t McAfee and Symantec pick up on these things sooner? A Google search for “Click here to see the attached video” brought me here.

  6. Thanks for your comment, Ulysses, I suspected that by today the virus vendors should all be picking up on this phishing attempt. We’re not AV research experts, but it is apparent that the cat-and-mouse game just continues to evolve all the time, and systematic approaches don’t work for new techniques. The approach actually needs to be updated. This is where there certainly is room for improvement on the AV companies’ behalf, that’s for sure.

  7. Peter says:

    I got two of the same mails today. This was the only place I found some analysis.
    Any updates?

  8. Hi Peter – I just checked the domains again on Google SafeBrowsing diagnostic and they are still not blacklisted. Keep in mind that these types of phishing attacks are sophisticated. If all they contain is javascript re-direct code, then in and of itself they are not malicious, so Google may not list them.
    Unfortunately I see no other update on this from any vendors.

  9. Agnes R says:

    Hi
    Also from Ontario!
    This one is very sophisticated – the subject and message may change even in the same outbound emails.
    I have had one from a friend to my work email that said:
    Subject: very good
    Content: Click here to see the attached video
    and one from the same friend to my Yahoo account at the same time that said:
    Subject: check this
    Content: Click here to see the attached photos
    I work in a public library and this is the third person I know of that got caught.
    This site is still the only documentation of this phish attack. Good work!

  10. Thank you for your comment, Agnes. It sure is amazing that this continues even weeks into its lifecycle we are still seeing this daily and av/anti-phishing software isn’t catching it.

  11. Sarah R says:

    Thanks for this information and your diligence in tracing through how the phishing operation works. I received this message (twice, with different variants, to two of my addresses) yesterday from a contact from a couple of years ago. This immediately made me suspicious. I contacted them and warned them of the apparent attack and I have now been able to find some information to describe it, thanks to you. I use AVAST which still knows nothing, as far as I am aware.

  12. It really is amazing that it continues its momentum. Thanks for your comment, Sarah.

  13. Blake S says:

    Another person in Ontario reporting this – my mom opened an email from someone she knows (in Ontario) who must have also been phished, and called me to say not to open any e-mails from her – sure enough I have a “wooow! click here to see the attached video” mail sitting in my inbox.

  14. Sounds like your mom is aware, and the steps to recover would be next – just check the microsoft URL I posted to the article, but the most important take-away is to change online passwords.

  15. Greg L says:

    I was hit by this today, thanks for the research. I changed my Windows Live ID password but I want to know if the hacker could be logged on and remain logged on after the password change, and if there was a way to force logout of all connections using my account. I know it is not directly related but others who have been attacked and end up here may want to know the answer too, or be assured that it is not a concern.

  16. George says:

    Just got this same variant through MSN hotmail except the subject line was “see this” and in the body was a “Click here to read this message” hyperlinked. I clicked and I was directed to ww57.worldwidevideos.net and a dark background with an authentic looking windows live sign in box. Suspicious, I didn’t enter any info and deleted the email and closed the email and cleared my cache. Question is did I get infected even though I didn’t give my windows live username/password?

  17. Hi Greg – that is a very good question. I tried accessing my live account from Computer A and then changed the password on Computer B. The session on Computer A continued to be active and did not restrict my access in any way. Therefore, if someone is keeping your session active, theoretically the account continues to be accessible. However, they cannot re-login nor change the password because you need the existing password to change it.

  18. Hi George, it sounds like you landed on the same phishing network that I did when I originally wrote this post. I did not see any other malicious scripts running at that time, so provided their intent is still the same, which is just to get you to provide your real username & password to them, then you are likely safe because you stopped before that point. However, it wouldn’t hurt to change your password anyway.

  19. George says:

    Thanks for the response and thanks for the post David. Seems like you’re the only one with a writeup on this. I will change the password just to be safe. I ran a malwarebytes scan that came up empty. Probably nothing on it since this looks fairly new.

  20. Ted says:

    Just got one of those mails from a distant relative of mine. I saw no reason why she would send me a video with no further explenation so I immediately got suspicious. When hovering my mouse over the link, the url dosen’t show at all like it normaly does. (hideing something, eh?)
    Asking for properties on the link gives me a yard long url that could point anywhere…
    How can I find out where it goes without actually clicking it?

  21. Hi Ted – generally speaking, you can look at what’s called the Raw Source of the email. This varies from one email program to another. In Outlook for Windows, it’s available under View -> Options. In Mac Mail, you can choose View -> Message -> Raw Source.

  22. Anders Sweden says:

    This attack is currently spreading througout sweden. 🙁
    My question is if a person that has clicked the link and has sent the virus to everyone in its contactlist has something to fear regarding the content in its computer?
    The person has ran a full viruscheck using Symantec Endpoint Protection 11 and it found no infected files.
    Is there another way to seach the computer for this virus?
    What is the intent for it? Is it only to collect usernames and passwords?

  23. Hi Anders – I’m actually surprised it took this long. This particular attack does not infect the computer itself. It is designed to steal real account usernames and passwords. Once that is achieved, then it is unclear what else the thieves do with those accounts. Theoretically they can be used to spam others, or, in *spear* phishing they may attempt to further utilize those accounts to gain access to other sensitive access such as social networking or even banking sites.

  24. Anders Sweden says:

    So the attack only works once? When the receiver clicks the link? Or can it send another burst of infected e-mails using the contact list again?
    The general advice is of course never to click on links in e-mails that look suspicious.

  25. Jeremy L says:

    I had this hit me on 10th December, and it’s happened again today, 17th December.
    First time, it sent something to everyone in my Hotmail contacts list, and I was alerted by a load of bounce messages coming back.
    This time, it worked though the As and part-way through the Bs before stopping. I’m hoping that means Hotmail have got wise to it and stopped it when they saw what was happening.
    The full list of subject lines I’ve got for these things is:
    incredible
    hey
    wooow!
    check this
    very good
    see this
    amazing!
    First time round, AVG turned up nothing, and I assumed (incorrectly) that I didn’t need to change my password. This time round, I’ve changed my password and I’m going to do another AVG check.
    It does worry me that this appears to be the only website reporting this problem- and this place apparently only comes up top on Google in response to a search for:
    “check this” “very good” wooow
    What’s the best way to make this more widely known?

  26. Thank you Jeremy for letting us know about the additional subject variants of this specific attack. Good question about how to get this better spread. We have included it in newsletters of our own, but proactive education I think would be key everywhere. Anyone who has a newsletter or blog audience should warn users about this. Thanks for asking.

  27. Guru says:

    Well, I became a victim of this scam and entered my password (I am normally very careful about passwords but I let my guard down as it was a long lost friend puportedly sending me photos).After realizing this was a scam, I quickly changed my password. Of course, it went through my contacts and has emailed all of them with the variation in subject mentioned above. I have contacted all of them and warned them about the scam. My question is whether I need to take further precautions. Thanks in advance.

  28. Brian says:

    I got caught out on this and received the WOOW mail from a friend who uses hotmail advising me to click on the link. I did and was asked for Windows Live mail/password. As I thought it was a trusted source I gave my details – even though I dont use hotmail/live as my primary email addresses. Almost immediately I realised (followed up by an other email from my friend telling me not to open it!) I have now changed my Live password within minutes so I am hoping that I have caught it in time.

  29. Richard says:

    Hi, friends have received something like this and have sent it to us. The message does not contain a link (not underlined) so we didn’t get taken anywhere. Does this mean we are save? We have changed our password, but no-one has said they have reveived it, so we haven’t mailed everyone yet. Thanks.

  30. Hi Richard – good to hear yours is not underlined. I have seen some enterprise/ISP email scanning services remove all hyperlinks as an extra precaution. It’s possible that’s what happened to yours.

  31. Randy says:

    I received this today on my Hotmail account and stupidly entered my password on the “Live Mail” prompt after clicking the “see attached photos” link. When I realized it was a phishing attack, I immediately changed my Hotmail password and logged off. I cleared my cache, logged back into Hotmail and discovered it had sent itself to everyone in my contact list. (fortunately, most were obsolete since I rarely use Hotmail anymore). I deleted all my contacts, added a bogus contact and clicked on the link again. It didn’t give me the “Live Mail” prompt again and it didn’t send anything out. When I click on the link, it goes to “ww100.ivideosfun.net/track_en.php”, then to “lm4.me” and finally to event.rewardforwork.com/entrance.aspx. The “ww100” changes to “ww29”, “ww75”, etc. on subsequent clicks. Microsoft Essentials and Malwarebytes didn’t find anything but who knows what this thing may’ve installed on my computer. I wish the AV vendors would research this and provide a remedy.

  32. No kidding, Randy, very frustrating, isn’t it!

  33. S., Another Swede says:

    Thanks for such a thorough report, and for replying so friendly to all the comments. I found this site by googling “Click here to see the video”. It’s strange that this is the only site investigating this worm. Are there no “official” reports on it? Attempts to shut down the spam network?
    I received this message on a Swedish email list I’m on, on December 21. The victim later wrote to warn us against opening it, and said she’d only opened it before it automatically infected her email. (Of course, it’s possible she was lured to enter her password, but she didn’t say.) I’ll make sure to write her back and ask her to change her password.
    I’ve posted the raw email on pastebin:
    http://pastebin.com/dXjWUzsd
    This email was marked as “SPAM” by our email list, as you can see. I’ve changed myemail address, the victim’s name and address, and our email list’s address (to [email protected]d.com), but besides that, nothing.
    Thanks, and good luck!

  34. Andy says:

    Hi, I am in the same boat as every one who has let there guard down. I have changed my password and now I am panicking!! What do I do next? Some one advise please,
    Andy

  35. Guru says:

    A day or so after this attack, Malwarebytes picked up a JavaScript Trojan where it had never done so previously. Not sure whether it is related, but I am going to do a clean install of my OS just to be on the safe side.

  36. Guru says:

    A little more info. One of my contacts is obsolete. I have received a “Delivery Status Notification (Failure)” of this spam mail to this contact for the swcond time, which leads me to believe that the worm has set up some kind of script on my machine to automatically spam the contacts list repeatedly. The names of the attached files in this email are ATT00001 and wooow!.eml.

  37. Brian says:

    Anyone who has received this and inadevrtently click on it to enter their live/hotmail details etc check your ‘Sent’ box. I changed my password within minutes but in that time it had already sent out emails to all people in my address book. Fortunatley for me there were only 3 people in my address book who I could inform. Since changing my password I look to be (hopefully) clear.

  38. Hi Andy, it’s a good idea to read Microsoft’s link (Update#1) above for future protection, but for now, changing your password is all you needed to do.

  39. John says:

    My wife in the UK just got it from a friend in the USA – quite why Hotmail have not got on to this and intercepted the emails is an open question

  40. Peter Duquette, Rhode Island says:

    I too got caught a few days ago. I realized it pretty quickly and changed my password. I got caught with the Hotmail prompt. It was sent to everyone on a long email list. I sent out a warning to all. I have had some email recovery problems that I believe are resolved but the computer is still a little glitchy. 2 people on my email have contacted me saying they have had major shutdowns from it. MS security scan found JavaScript Trojan but a scan on an uninfected computer found the same so I’m skeptical that is the problem. This seems to be very nasty. As others have commented this bug only seems to be discussed on this site. Hoping for any suggestions to make sure it’s cleared out.

  41. Bill in Toronto, Canada says:

    David, thanks for the information.
    I was sent this same scam Dec, 19, 2011,
    but I did not click the link.
    The variant that I got was
    randomLettersAndNumbers.lm4.me/[email protected]/moreRandomLettersAndNumbers_ViewMsg
    I see that the lm4.me site was created mid Dec., 2011.

  42. Bernie says:

    Just found what appears to be the same phishing email reported here.
    Subject: Incredible
    It purported to be from a Canadian friend.
    Mousing over “Click here to see attached video” revealed the following link (slightly sanitised by me below):
    httpCOLON_DBLSLASH_REPLACEDxkiiis6ay3ly9c.xm1.me/[email protected]/habw75yo6x6hcuefgb5gna_ViewMsg
    Initial click brought up a fake Hotmail Live login pre-populated with my old hotmail accaount name… just wanted my password 😉
    Subsequent clicks in new browser instead produced a “Congratulatione you are a winner! Click here” box..
    “view_source” in IE8 brought up an “unexpected exception” alert box
    I didn’t want to mess with it any more and just emailed a screenshot & warning to my Canadian friend.
    This site is the only one I’ve found so far with any sensible content regarding this particular phishing scam.
    cheers, Bernie

  43. ClearStream says:

    Its in Australia now. I’ve reported it to ACMA and scamwatch. But this is still the only site I can find that discusses it! I hope all the anti-virus staff are having nice Christmas holidays.
    I’m still keen to know if anyone has had problems without clicking the link. Thank you for being there while everyone else is on holidays!!

  44. Chris,UK says:

    David, I am also in the same boat as every one else having tried to open the link, as I received the e-mail from a close friend,who regularly sends photos. I have changed my Hotmail password and deleted my entire contact list
    However,do you know if my PC will have been infected?
    I have run a McAfee virus scan and all seems ok.
    I am a little anxious about using on-line banking etc. Any advice would be much appreciated
    Thanks
    regards
    Chris, Leicestershire,UK

  45. oriste says:

    And round and round it goes. I just got that same mail with subject “see this” from a friend at hotmail. I use a Mac and my own mail server, I don’t have a Windows Live account. Anyway, I was suspicious and — before clicking — found this article as the first hit for “Click here to see the attached video” in Google. Well done.
    Below is the source. Please delete or edit at your own discretion.
    Return-Path:
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from blu0-omc1-s25.blu0.hotmail.com (blu0-omc1-s25.blu0.hotmail.com [65.55.116.36])
    by mail.domain.tld (Postfix) with ESMTP id 1AE9DB2532
    for ; Wed, 28 Dec 2011 16:49:28 +0000 (GMT)
    Received: from BLU0-SMTP108 ([65.55.116.7]) by blu0-omc1-s25.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
    Wed, 28 Dec 2011 08:49:28 -0800
    X-Originating-IP: [190.188.59.140]
    X-Originating-Email: [[email protected]]
    Message-ID:
    Received: from [192.168.1.1] ([190.188.59.140]) by BLU0-SMTP108.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
    Wed, 28 Dec 2011 08:49:27 -0800
    From: One Friend
    Subject: see this
    Date: Wed, 28 Dec 2011 13:48:58 +0000
    To: [email protected]
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”————8502a03d7e43b7b8c99cf2e9″
    X-OriginalArrivalTime: 28 Dec 2011 16:49:27.0494 (UTC) FILETIME=[A95EA660:01CCC580]
    ————–8502a03d7e43b7b8c99cf2e9
    Content-Type: text/plain; charset=”ISO-8859-1″
    Content-Transfer-Encoding: 7bit


    Click here to see the attached video

    ————–8502a03d7e43b7b8c99cf2e9
    Content-Type: text/html; charset=”ISO-8859-1″
    Content-Transfer-Encoding: 7bit


    Click here to see the attached video

    ————–8502a03d7e43b7b8c99cf2e9–

  46. dumdum says:

    I, too, was dumdum and clicked on the site. I changed my passoword. Is that enough?

  47. Chris says:

    Hi
    I made the same mistake.
    I have changed my Hotmail password and deleted all my contact list.
    Is there anything else I need to do? I have run a full McAfee scan and there appears to be no infection of my PC.
    Is it ok to use on-line banking?
    Thanks
    Chris

  48. Chris, you may want to try Microsoft’s own tool called System Sweeper (http://connect.microsoft.com/systemsweeper). You will need to have a access to a sanitized computer in order to prepare a bootable CD, but it does advanced offline malware scanning and in our experience is quite effective in detecting and removing Malware.

  49. Thank you Oriste for this additional variant.

  50. Chris, if this phishing scam has been your only experience with ill intent on the web, then you are likely safe to do banking. However, the same suggestion I just made to Chris wrt Microsoft System Sweeper is never a bad idea. Just extra peace of mind for you.

  51. Chris,UK says:

    Hi David,
    Thank you for your advice.I ran System Sweeper as recommended and it seems that my PC is clean.
    Many thanks for your help.It’s much appreciated.
    Chris,UK

  52. Jake says:

    Thanks for the website. A friend of mine has been infected. Yesterday messages got sent to her contacts and then today again. these ones are for photo gallery. and say:
    “Click here to see the attached photos”
    …and are a link to the domain “xm2.me”.
    She is an avid facebook user, I suspect she got tricked through that site. She is also in Canada.
    Thanks for the information posted here so far.

  53. Vic says:

    I recieved this e-mail on Dec 29. I usually am pretty carefull myself. I stupidly click on the link, because it was from someone who actually would send photos. However, I use thunderbird for my mail. After clicking on the link, nothing happened. I was not taken to any website. Nothing happened, which made me suspicious, so I looked at the source.
    I realize that I may have confirmed my e-mail address. I am going to restore my system to a previous state just in case.
    Vic

  54. Kathy says:

    Great info, thanks. When sending a message to ‘all contacts’ to tell them to not open the email, I noticed that there are a number (8) of extra email ‘contacts’, all appearing to be porn-type addresses (i.e. adultchat, lookink4fun, etc.) added to the email list, but they do not show up in My Contacts (in hotmail). I’m still looking to see if I can figure out where they are hiding. Suggestions are most welcome.

  55. Keith, UK says:

    David,
    Thanks for this brilliant site. Its been a great source of information especially as no one else seems to be discussing this scam.
    I have recieved two variants of this email from different friends. Two questions. 1. Does this mean that they recieved the same messages from someone else and followed the link and entered their passwords? 2. I clicked on both of these at different times and nothing happened, no redirection to a website and no prompt to sign in to MSN. Does this mean I am safe and sound?
    I use Mac and Ipad, if this makes a difference.
    Hope you can help.
    Keep up the good work.
    Keith

  56. Thanks for the info.
    The weird thing is, I get this message in my SPAM box today, listed as “From” a client of mine, who has sent me a legitimate message today in my INBOX.
    I have not heard from this client in some months. Is his e-mail infected? Or it is somehow picking up a bit of the e-mail address from the net and tacking it on to the message (the e-mail address does not appear to be correct, even though it has his name on it.).
    Very sophisticated Phishing scam. Gmail identified it as SPAM.

  57. Daniel T, Sweden says:

    Got this email from a friend and really didn’t think and pressed it in Thunderbird (Mail program). Nothing at all happend. It never asked me for anything at all, my browser didn’t even open. Have been running my antivirus program and Spybot Search & Destroy but nothing has been found. The email was sent to my gmail account and I use the Google Chrome browser, perhaps that is what saved me?
    Will still be running CCleaner and perhaps even change the passwords just in case.

  58. Hi Keith sorry I took a few days to reply to comments over the holidays. Considering you’re on Apple equipment, you are generally safer in the first place, simply because malware authors and phishing expeditions are focused on the larger pie: Windows. Secondly, since you never entered any credentials, there was nothing for them to steal.
    However, the general rule of staying as current and up-to-date on your MacOS and your iOS is necessary because there are definitely security exploits on Apple equipment that are discovered, and you want them patched as soon as Apple releases the updates.

  59. Hi Robert, yes it is a sophisticated scam for sure, and the person you got the email from likely is infected. May be worth pointing him to this article.

  60. Daniel, it’s hard to tell what saved you. I’ve noticed that often I need to click on a URL twice in Thunderbird before it will open. May just be a fluke. In either case, it looks like you’re at least saved from this one.

  61. Markus Ernst says:

    I got the message from a friend’s address today, too. Subject: “check this”; body: “Click here to read this message”. My antivirus program (Avira) had marked it as [Spam] in the subject line.
    Anyway, the phishers seem to have a new domain; the link in my message points to somethingrandom.lg1.me/…
    Daniel, I noticed the same – the link is not active in Thunderbird at my PC. I took a look at the source code; the tag which does the linking looks okay, but there is whitespace in the href attribute (the actual address). I am not sure whether this whitespace prevents Thunderbird from enabling the link, or there is some magic from the antivirus program that disables links in spam-suspicious messages.

  62. Claudine, Montreal, QC says:

    This is the 3rd time I get this message. I clicked on it the first time and nothing happened. The second time it came from one of my friend who only speak French so I new there was something phishy and did not click on it, then I just got another one today… Have to say I got this on my general email, not the hotmail one. The link to click is 3cb5t179ww1toi.lg2.me

  63. Josho says:

    I am sorting out this problem for my wife’s account. The strange thing is, after I chnaged the password I click on the
    hotmail link (above “account overview”) and I get this..
    This is probably not the site you are looking for!
    You attempted to reach by155w.bay155.mail.live.com, but instead you actually reached a server identifying itself as a248.e.akamai.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of by155w.bay155.mail.live.com. You should not proceed.
    That is using chrome. Firefox also says it is suspicious.
    I get the same result using my hotmail account after changing my password on a different computer using the same wirelss home network. Any reason for this? Virus scan with Avast hasn’t picked up anything on original PC.

  64. Hi Josho – what you experienced sounds more like a hotmail bug than a problem with your computer or software. I often recommend Brower Resets to flush all cache, cookies, etc, and then re-attempt to access a legitimate site.

  65. Lewis says:

    Hi, I have changed my email address. Will that work? I believe it will. Please help!

  66. Eric says:

    Hi Kathy, I had the same problem with strange contacts in my email contacts. This website was very helpful to delete the contacts: http://g4jc.christiangamemaker.com/wordpress/2011/03/strange-contacts-in-hotmail-when-you-try-to-send-a-message/

  67. The Snail says:

    I had this email with woow as the subject arrive today from an acquaintance.
    I did not expect any such email so I investigated it.
    It came from Thailand . I did not open it and deleted it.
    Oriste for your information the email sent to you came from Buenos Aires ARGENTINA !!!
    This ‘virus’ certainly gets about.
    Cheers @/”

  68. Heather G says:

    I received the same or similar message this morning as Josho when I changed my hotmail password after clicking on the “Click here…” message. My password change went through ok, though. I’m also on Chrome. My AVG hasn’t picked up anything. Should I worry? Can I consider my hotmail safe to use now? Thanks, and thanks for the site.

  69. Heather G says:

    Oh oh. I deleted my cookies and tried to sign back in to hotmail but it’s not accepting either the new or old password now.

  70. Peter from Germany says:

    Welcome to 2012. I’ve got this e-mail in my hotmail and mobilephone account today. Great is, that this e-mail came from my wife, who is in Japan at that time. So as you noticed – it has gone all over the world. However the positive side is, that I noticed, that some e-mail accounts are closed of people, to who I haven’t had contact for a long time.
    I guess we got a big virus or whatever here. I also changed my password. Sorry for my bad english, but as mentioned above, your side is so far one of the first about that topic. For me, it is slowly time to restart my computer from the beginning, which means, almost every year I reboot my computer, as it was delivered. Of course, before I save the impotant things on disc or so, but I will get rid of all that, which is collected over that time somewhere on my computer. It takes time to get all the updates again on the computer, but it worked every time very well and seemed, I have got a clean and new computer.

  71. Mary says:

    I feel lucky to have discovered this discussion as it’s definitely not widely covered anywhere else. I am in Ireland and it’s here also. I received an email with the subject ‘woooh’ with the one line message of CLICK HERE TO VIEW VIDEO from a friend and immediately recognised it as trouble so deleted it and told her about it. She received this a few days ago and clicked the link so it seems it took a few days for it to resend from her mailbox. She is not at all pc wise as aren’t many of her contacts. Her hotmail account has sent this to all her contacts, some of whom have replied and said in their innocence that they would love to see the photos but couldn’t open them. Unfortunately the brain is still the best spam/virus checker but it’s mostly non computer literate people who will get caught by this. Can anyone clarify if opening the email is enough to infect or must you click on the link and then provide info. I hadn’t clicked on the link and so didn’t know until I read this where it lead if you did. From looking at the amount of contacts it has gone to from this one individual, this is extremely rampant and has already been passed around Ireland and over to the UK contacts.

  72. James D says:

    I’m in Ontario, Canada and also received this “Click here to see the attached video” email as well. I did not click on it as it was from someone who I only communicate with on a professional level and it seemed very suspicious. I emailed the person and told her about the email, so she is aware of it. The Subject line reads “check this” and the link contains: “http://0txkdoc5i4k9ad.lg2.me/le…..” I ended up marking it as “phishing scam” on my hotmail inbox.

  73. Alex from Belgium says:

    Just got caught yesterday with this virus (hotmail on Mac OS X Tiger).
    AVAST did not detect anything on my disk.
    Now my hotmail account is locked and a pseudo Windows Live page
    https://account.live.com/security/Aci.aspx/A1
    and
    https://account.live.com/security/Aci.aspx/A17
    asks for a mobile phone number to unlock my account.
    Windows Customer support points to http://g.live.com/9uxp9cdp/cdp-en-GB??WLXID=89d728a2-d262-4aa5-8862-69cc1d5b321d&RID=0057b77fe69&TID=1326048586350&lid=
    which I don’t trust.
    Until Microsoft reacts officially to this serious issue, I would recommend NOT TO GIVE your mobile number.
    Any further information welcome.

  74. Piedro from Finland says:

    This virus is in Finland too. Is there any new information about it? I just make clean install of Linux Ubuntu 10.04. and two days after that (today) my wife opened this link. Should I be worried about it? Should I install everything again?
    I don’t know is there nothing to do with it, but my IPblock has blocked “Bogon” 192.168.1.100, about 100 times. But it ended about hour ago.
    Thanks for this site!

  75. Darren says:

    I stupidly clicked on the link and it got forwarded to everyone on my contact list within minutes. I changed my password and ran a virus scan on AVG which didn’t pick up anything. Am I now safe?

  76. Goggy3 says:

    Hi David,
    this scam is still flourishing – I have had 3 Hotmail friends send me this email in the last week.
    I am in the UK.
    none of the account holders did anything other than click on the link, although the first said he didn’t even click on the link as he hadn’t even used the account for a number of days.
    anyway – Just an update on the progress of this very successful spam invasion.
    gx

  77. John Rolt says:

    Thanks for this site – nothing else shows up! I received one of these emails from a friend; I queried it, and she is at her wits’ end what to do. I have told her ..
    1) tell all your friends not to open any such email from you, and NOT to click on the link
    2) ask hotmail for advice (lol) (yes, she is also a hotmail user – and uses FB – both seem to be common elements)
    3) take PC to a computer shop to have it cleaned.
    Anything else I should say?
    Thanks!

  78. Alex from Belgium, I don’t blame you for your concern about giving them your mobile number. However, Microsoft does have an official password recovery method that involves authenticating that you are really you, but using your previously-supplied mobile number to send a text message to. It’s a legitimate password recovery process, provided you are actually on live.com website.

  79. Hi Piedro – this specific phishing attempt that I analyzed does not appear to do anything to your computer – it is strictly design to steal your hotmail/live account and password. This is why it doesn’t matter if you’re on MacOS, Windows or Linux – everyone is equally vulnerable on their online account, but I wouldn’t be concerned about reloading your operating system (provided this is the only issue you’ve had).

  80. If you’ve changed your password, you’re safe from this specific issue, yes.

  81. Thanks for the update, Goggy3 – if the link was clicked but no username & password provided, then they’re likely safe. I’m saying ‘likely’ because we don’t know how many iterations there are. It’s possible that it has become a blended threat, which means that the authors could use other system weaknesses to attempt other drive-by attacks. Unfortunately I cannot take the time to investigate everyone in detail.

  82. Hi John – yes the most important thing for your friend to do is to change her hotmail password, as well as any other account that may have used that same password.

  83. Roger says:

    http://internettestbank.com/d/traf2.com This is how it came to me. I have changed my banking password and facebook password. IP address was 69.6.27.100.80. Have I done enough? AGV let it through and I clicked it 3 times. the next time I logged out from my bank account my Google icon changed to my banking icon for 4 days. can you advise?????

  84. To David………… I was infected with the emails mentioned above from a friend in Canada. A new one is out with $10k a month r‏ in the subject box and CLICK HERE. I did not open it. I put my mouse over CLICK HERE and this is what I got:
    http://cblszlhkq5de48.182.me/op_XXXXX%40.msn.com/jsbj9ctx90mty9z7qlwgx2_viewMsg where XXXXX is my email
    What do you suppose it is?
    This virus is in the US too.

  85. Dwight M says:

    Hi luckily I didn’t get infected…however I have friends who have . Is there any FIX out there or simply change their password for now . This is about the only site on the internet with any info ( GREAT INFO ).
    Tks any info greatly appreciated .
    D.

  86. Kim B (UK) says:

    Am in the UK and have received 2 of these emails today. The first was a @live user and had a slight twist as the attachment related to ‘work from home’ and ‘Read full message’ whilst the other was @hotmail user and subject was ‘hey’ and ‘Click here to see the attached photos’. The Symantec does now seem to be rooting these out but have advised both contacts to reset their passwords. Not entirely sure but think this link may well be related to removal of this.
    http://www.technibble.com/how-to-remove-msn-virus-project-1-generic2exo-backdoorgeneric3sat/

  87. Emily C in Ontario Canada says:

    Good morning, I am receiving these with greater frequency-two “known to me” friends have this happening, and I have informed them. I finally had to filter out one of them as this keeps happening. I have alerted all my friends with hotmail accounts to this, especially to tell them I will block them if it happens from them. I do not use hotmail, but I am going to change my password none the less.
    What I notice happened this morning, the email came in from a friend at about 1am est (this is the second one I received from them about a month apart so unfortunately I have filtered them out), then about 7am est, another came into my spam folder. It had the name of a person (unknown to me) but the actual email address was a series of letters with @ hotmail.com -had a different ‘come on’ topic line (they seem to be for things like ) and what I notice is weird, there is always a single letter (like the w) after the subject.
    I only clicked this once last month and NEVER entered any info-backed out right away because I realized what it was, but funny how I am now a target for more requests. This is why I have told my hotmail friends to take action. And, blocking the ones I know sent me these types of emails.
    I am not a whiz with the techno end of this stuff, but I certainly see how insidious this is becoming.

  88. Angie says:

    Hello I’m not a techy but based on what I’ve read here I think it is the same thing I got to my Yahoo account from a contact with a government e-mail address. It came on the 10th and I was suspicious; subject “hey” body “click here to see attached video”. Today I clicked link out of curiosity and while waiting (both AVG and Microsoft Essentials make things slow it seems) I noticed that my “contacts” list in the column to the left was being activated/opened/read (the spinning action was taking place as though I cliked it). Since I was initially suspicious of the mail in the first place logged out before anything else happened.
    I logged back in and sent an e-mail to the contact to warn her. I’m in Jamaica and got here through Google search “click here to see attached video”.

  89. Rikki says:

    A family member received this email and is positive he did not enter his password – I’ve trained him well in that regard! But his contact list has still been compromised, and emails sent to all of them with the ‘click here to view the attached video’ link. So entering your details *may* not be required for this to be a problem.

  90. Karl E says:

    I live in Sweden and has received two of these mail. Both seemed to come from friends of mine with hotmail addresses. Like a fool I clicked on the link the first time, but nothing happened. My question is if only hotmail is affected. Only the presumed senders have hotmail addresses. I myself have a telia.com address. It’s now 3 weeks since I received the first mail, and I cannot see that I have sent any unintended mail. Neither have I heard from anyone one my contact list. My password is encrypted in my mail client (MacOS Mail) and I never enter it. Can I forget the whole thing?

  91. Jana says:

    I’m in Germany and I got the mail on saturday… It was sent to me by a British friend and I was stupid enough to click on the link. A new tab with the site of my mail-provider opened, I closed it immediatly and changed my password afterwards… So far no mail seems to have been sent to my contacts. However, today my avira antivir found something on my computer… Did this happen to other people, should I worry, or is it a coincidence? Please help, I’m afraid to use my computer as I usually do!

  92. JKAbrams says:

    A relative got this from a compromized hotmail account. He’s using @telia.com he is probably safe.
    Here is the email, only slightly redacted:
    http://pastebin.com/CmAkwVAB
    Now using the domain lg7.me
    Using the provided link will get to internettestbank.com a Swedish scaming site connected to PLANET49, a infamous scaming company, that make money by collecting contact details from easely scammable people (here is what Etiska Rådet has to say about them [in Swedish] http://www.etiskaradet.se/nyheter/2011/5/5/angaende-tavlingar-fran-planet49-och-andra-foretag.aspx use google translate to get it in English).
    If PLANET49 is actually behind this phising attack, I can’t say, but at least the attack is geograpically aware. Probably there is some exchange of traffic (and money) between PLANET49 and the one behind this phising attack.
    http://lg7.me is quite funny actually, it redirects me to a $100 KFC check you can get by posting about them on facebook, there is a ticker on the top that shows a decreasing number of availiable checks, so you have to quickly give them your facebook credentials before you have time to think about what you’ve just done…. (You may be redirected to another scam-site.)

  93. Dale-Maree says:

    Thanks for this, I was about to click Sign In but it just didn’t seem right. The email actually came from a relative who travels a lot so seemed like it would be genuine. Anyway, thanks for posting this as I found your reponse easily through a Google search. Cheers!

  94. Richard in Ontario, Canada says:

    Well, it’s taken a long time to travel a short distance, considering when David R in Ontario, Canada started posting, but this pestilence arrived in the Napanee/Kingston area yesterday. I hadn’t seen it previously.

  95. zitan says:

    Thank you very much for your post!

  96. Sim says:

    This was sent to me by a friend. It seemed unusual only because I know her writing style. I queried her by SMS and she says it has been sending to her contact. It also asked for her mobile number. Anyway, I advised her to change her Windows Live password and to run a virus scan.

  97. dougie says:

    My wife fell prey to this yesterday, and now all her contacts have been spammed/phished attemps. Running OSX here I notice that CLAM virus scanner is reporting many copies of 4907.emlx Heuristics.Phishing.Email.SpoofedDomain
    presumably from the bad emails.
    Any thoughts on whether malwayre was part of this scam: strange news balckout on it

  98. Jon says:

    Hi – I used this page to help a friend of mine who had this issue, and found it useful. So – thanks!
    And my thoughts are: the email originates from the rogue site
    – if you receive the email
    > delete it
    – if you have received the email, clicked on the link but not signed it
    > you’re still ok, just close the webpage, delete the email. Run an AV scan if
    you’re worried
    – if you have received the email, clicked on the link, and signed it – then you’ve given your usercode/password to a crook. The crook will sign into your hotmail account and nose through your emails, and send out the same email that you got to everyone on your address list.
    > You need to:
    a) Sign onto “real” Windows Live/Hotmail, change the password
    b) Have a think about what’s in your email inbox/folders in that account,
    and change passwords, bank details, etc of anything that the crook
    c) Maybe email your address list apologising (always good manners) and
    passing on the advice here.
    Hope this helps – someone who knows better, please disagree and give reasons.
    BTW – my credentials? I work in IT: ok, its on the mainframes (real machines!) but I do have responsibility where I work for security. And I have hated virus writers, phishers, etc for over a decade.
    Jon

  99. John says:

    I have just been attacked by this wicked virus. I am in the UK. I received an email from a trusted colleague this evening with the subject “see this”. I clicked on the link and entered my email and password. Soon after, I started receiving spam emails with the heading “postmaster failed delivery”. I then realized that the virus has sent the same email to everyone on my contact list.
    I have added it to my junk list and have changed my password. For now, I have received no new emails, but im afraid the damage has been done (sending my contacts the emails). Now am stuck with the pain of trying to contact everyone to warn them. Please help if you have any helpful information to defeat this evil virus!!!

  100. René says:

    Got this virus today via a trusted e mail adress on outlook. Luckily I use my hotmail adress only for contacts I do not trust. So, in,my case, no damage done.
    Obviously this is not recognised as a virus by the anti virus/spam programs.

  101. Rose says:

    Https is soo underrated, most sites, including this one does not show it in the URL window.Everyone thinks I’m nuts, but I keep a different password for email, facebook, youtube, twitter, etc. etc accounts. Funny how everyone tells you that it is sooooo easy to link all of them on yahoo or whatever. My answer is “no way” and I will continue to stand by that decision. I do have one question, someone told me the safest email was hotmail because it “changes your ip address every couple of seconds” is that so?

  102. Hi Rose, about your question re hotmail and changing your IPs – it has no control over your Internet connection so no, it cannot change your IP. From a security perspective, Hotmail, Yahoo and Gmail are very equivalent. Each employs security details a little differently but from an overall security rating they do not differ very much. Gmail is probably the most proactive though.

  103. Simon says:

    It isn’t just using the hotmail contacts, it has sent mail to addresses that it retrieved from my inbox and outbox as well.

  104. Guru says:

    An update. I tried to login today after a couple of days of inactivity and Hotmail says that my account has been blocked because of spam originating from it. I am guessing that the email address is being spoofed to send out the spam.

  105. Tom says:

    John and Guru adequately explain the situation. I have experienced both. Is there a fix?

  106. amani says:

    i have been receiving these dumb emails too. first time i clicked it i started sending email saying “see following attachment.” And at school everyone was saying i sent them it and next day window email said something suspicious is going on with your email account please verify. and i used my moms cell phone so they can text me a verification code and then it stopped for a few days then continued. my sent folder was filled with emails i did not even send!

  107. beauty says:

    Often its the fox guarding the henhouse, right?

  108. online sales training says:

    Hey there! Someone in my Facebook group shared this website with us so
    I came to take a look. I’m definitely enjoying the information. I’m book-marking and will be tweeting this to my followers!
    Exceptional blog and amazing design and style.

  109. Mia says:

    My brother suggested I might like this blog. He was entirely right.
    This post actually made my day. You cann’t imagine just how much time I had spent for this info! Thanks!

  110. Katie says:

    Its like you read my mind! You seem to know a lot about this, like you wrote the book in it or something. I think that you could do with a few pics to drive the message home a bit, but other than that, this is great blog.
    A great read. I will definitely be back.

  111. hgh-energizer.biz says:

    Hеllo, just ωantеd to saу, І еnjοуеd this blοg pοst.
    Ӏt ωаs prаcticаl.
    Keep οn poѕtіng!

  112. Personal Finance says:

    Stunning story there. What ocсurred after? Goоd lucκ!

  113. Photobucket says:

    Way cool! Some very valid points! I appreciate
    you penning this post and also the rest of the site is also really good.

Comments are closed.