November 29, 2011
Niles Nerd

Windows LIVE email and password theft

In light of reduced SPAM as of late, I was somewhat surprised to see phishing and theft attempts as sophisticated as this come through to my inboxes today – at least one in each of my different email addresses, but all came from email accounts of friends on Facebook. I searched the major anti-virus and malware vendors as well as google and twitter and nothing turned up, so maybe I’m just one of the first to be hit. Here’s a message I received, and a similar one in each of my mailboxes:
- Nerds On Site
A few other variations are as follows:
SUBJECT: Very good
BODY: Click here to read this message
SUBJECT: wooow
BODY: click here to see the attached video
In each case the “click here…” is hyperlinked to and the URL also contains the actual email address of you, the recipient.
It appears the originator of this spam/phishing attack at the very least is validating email addresses of people opening the message.
I also tried checking Google’s SafeBrowsing service at this URL:
At the time of this writing, here is the result showing that it has not detected any malware on this site. I suspect this will change overnight:
- Nerds On Site
In case some great SPAM researchers come across this article, here is the full RAW source (except my email address has been replaced with [email protected]):
Part 1 of 2:
- Nerds On Site
Part 2 of 2:
- Nerds On Site
If you choose to click on URL in the email itself, that’s when the spammer’s phishing attack begins, and will prompt you for your Windows Live username & password. Note that it is NOT, however, which means you’re giving your username and password directly to the thief:
- Nerds On Site
As you might expect, the domain itself ( was only registered a week ago, and has its real ownership disguised:
- Nerds On Site
The same domain ownership disguise applies to where the phishing is actually hosted.
And finally, when I check to see where all the “click here to view this message” are being served from ( they point to IP address which is registered to Hosting Solutions International:
- Nerds On Site
Naturally, I have advised the abuse email address of this clearly-malicious intent and hope to have a quick response. I don’t have any misgivings about how quickly the attacker can direct web traffic to a new host, or start generating spam with a newly-created domain elsewhere. The cat-and-mouse games just continue…
I just hope this anatomy of this particular SPAM message helps somebody somewhere avoid these types of traps, and perhaps we can all find a solution to cleaner and more productive email.
IF you’re a victim, here is Microsoft’s article on what to do:

Homepage: Nerds On Site

Blog Home: Blog

Artile: Windows LIVE email and password theft

Sort By Category