Christopher Boyd: November 2007 Archives

Hotmail / EBay Follow Up

| | Comments (0)

Earlier today I posted this regarding compromised EBay / Hotmail accounts. Well, check this out:

http://blog.spywareguide.com/upload/2007/11/listingebay2-thumb.jpg
Click to Enlarge

.....guess this confirms the intentions behind all these hijacks.

If you happened to login to Hotmail recently, found yourself locked out and presented with this at the Password Reset screen:

http://blog.spywareguide.com/upload/2007/11/htmail1-thumb.jpg
Click to Enlarge

...yes, your secret question is now in Chinese...then don't panic, because you're not alone. There seems to be a little outbreak of Hotmail accounts being compromised (likely via Phishing, though we have no evidence of the method used yet), and then from there, EBay accounts are hijacked. Most likely, this is to use those EBay accounts to sell dubious merchandise (or, more likely, pretend to sell merchandise then run away with the profit, leaving you with bad feedback galore).

Here's someone back in October complaining about it, and you'll see a few others at the end of the comments section here with the same problem. In all cases, you should go here to get help reclaiming your Hotmail account and go here to chat with EBay Live Support.

There's been quite a bit in the news recently about Habbo Hotel, and while there are some interesting tools out there designed to swipe login details, I find....

habscam1.jpg

....that, despite all the warnings....

habscam2.jpg

.....quite often, the easiest way to cheat people out of their login details....

habbostoled2.jpg

....is to ask for them.

I'd like to tell you the rest of that page didn't consist of people hurling their login details at the original poster.

Sadly, I'd be lying.

You probably saw some of the coverage of the recent hijacking of musician pages on Myspace. What you probably didn't see, was evidence of the end-users who were unfortunate enough to have their systems taken over as a result of the hacked band pages. Certainly, a few reports claimed that something like "40,000" people were infected as a result of viewing the Alicia Keys Myspace page at the time that it was hacked. The only problem is, nobody seemed to be able to produce one of these individuals. While I don't believe that many users became infected purely from the Alicia Keys page, it's obvious that there would be people out there with a story to tell.

Well a few days ago, one of the end-users who clicked the overlay on a hijacked page (which would redirect you to malware and fake codecs) got in touch, and agreed to let me use the following extract to serve as a warning to anyone clicking on a Myspace page. Obviously, names / personally identifiable information has been removed.....

"To Chris Boyd:

I believe I was a victim of the recent software attacks on MySpace. I have read that you first blogged about it, but haven't heard of any solutions as to what can be done to online visitors who have visited the site, and whose computers have been compromised. I had ********** Cable install high-speed internet, and got online the same day. I did get on the Alicia Keys website, along other websites, and the following day, my computer is showing me a red screen telling me that my "privacy is in danger." A pop-window appears from time to time. It says...WINDOWS SECURITY ALERT...Someone is trying to hack into your system....download such and such now, etc. Downloading more stuff is actually something that I don't want to do.

I have contacted the company, and all they told me was to go to a computer technician and clean my software. I should mention that I had McAfee and Norton Antivirus, but both expired in May 2007. I had dial-up before and never had this problem, even with the virus protection programs expired. I guess the only solution now is to get my computer cleaned up, and buy a software that will protect me from future problems. Hope Best Buy has the right stuff! Since it's high-speed, does that mean we're open to hackers? Do you know how online visitors can be compensated for the recent attacks on the website?"

Well, for what it's worth, you'd have had the same problem if you'd visited the page and been hijacked regardless of whether or not you were on Dial Up or high speed broadband. As to whether or not you're "open to hackers", it depends what was installed during the hijack. Though there were some reports of Rootkits flying around the press when this story was in the news, all we saw installed was the fake Codec (which is usually responsible for downloading and installing the rogue antispyware cleaner currently giving you all those "alerts"). However, the payload was known to change from time to time so without seeing the individual PC, it's hard to say. The good news is, most reputable security cleaning tools remove many, many variants of these fake Codecs, and also the rogue antispyware tools they push onto hijacked PCs. The method used to hijack the computers in this attack was much more interesting and up to date, than the actual malware being foisted onto the target PC which (when compared to some of the hijacks out there) were fairly middle-of-the-road and not a huge threat.

As for being "compensated", sadly I don't think you'll get very far. Your best bet is to keep your security tools updated, try running in Limited User Mode if you're just doing general web browsing and keep Windows patched as much as possible.

Meanwhile, hacked pages are still out there and still redirect to the hijack sites at the heart of this attack, so anybody visiting a music page on Myspace needs to ensure everything they click on is legitimate. On a related note, I'd love to hear from anyone else out there that's been hijacked by the above scam...

Microsoft Roundup

| | Comments (0)

Some interesting bits of news just appeared on the radar. Apparently they aren't too happy with their virus detection, and a Microsoft Exec seems somewhat surprised that an XP machine could be hacked with ease when not running AV / Antispyware software or a Firewall.

Who knew?

About this Archive

This page is a archive of recent entries written by Christopher Boyd in November 2007.

Christopher Boyd: October 2007 is the previous archive.

Christopher Boyd: December 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.