Phishing attacks towards Hotmail users today

Everybody realize tat people are stressed before long holidays and this fact is also known by people who try to get richer by fooling innocent ordinary users.

A friend of mine called me and asked me about an email she got today from “hotmail”. I found this email was a new “phishing” attack.  The email was sent by
_HoTmail.Sign.Error@hoterr-srv214.202.222.24.32.uk._ and requesting the hotmil user to correct some necessary personal data by clicking a link (picture 1).

Phishing attack to Hotmail susers, Dec. 10 2011
(Picture 1) Phishing attack to Hotmail susers, Dec. 10 2011

If you received such an email ten you should just delete it without doing anything.

You are welcome to continue reading if you are interested in more information about this “phishing” attack

The link shows: https://login.hotmail.com/wlive05192/windwoslive52111/login_verify2?puser=....@hotmail.com

but the real URL leading to the following web page

Phishing attack to Hotmail susers, Dec. 10 2011
(Picture 2) Phishing attack to Hotmail susers, Dec. 10 2011
http://briian.tw/hotwl/wliveprsx05108622/go.php?col=m12miss&maw251=mat5

and the user gets something pretty much like the Microsoft live web page (Picture 2):

Since the user is requested to logon and correct the information the sign in procedure goes directly to

http://briian.tw/hotwl/wliveprsx05108622/confirm.php

BINGO

Now the user’s userid and password for Hotmail are compromised

Here are some more detalis about this phishing attack:

x-store-info:sbevkl2QZR7OXo7WID5ZcVBK1Phj2jX/
Authentication-Results: hotmail.com; sender-id=temperror (sender IP is 202.222.24.30) header.from=_HoTmail.Sign.Error@hoterr-srv214.202.222.24.32.uk._; dkim=none header.d=hoterr-srv214.202.222.24.32.uk._>; x-hmca=none
X-Message-Status: n:0:n
X-SID-PRA: _HoTmail.Sign.Error@hoterr-srv214.202.222.24.32.uk._X-DKIM-Result: None
X-AUTH-Result: NONE
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: NhFq/7gR1vRIrLRdm91QQUAEFk+Mrrr5vfoyCMSpgYSN55t6ndSz/S502EUwmlWPIU0E8nLQPnVpGI8MNgou75PUMv4hQHt313Ypu0CQIVwtLMjk/wD+jnuaZYdnm8Us
Received: from ms.shinyei-ship.co.jp ([202.222.24.30]) by COL0-MC4-F25.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sat, 10 Dec 2011 03:21:30 -0800
Received: from localhost (localhost [127.0.0.1])
by ms.shinyei-ship.co.jp (Postfix) with ESMTP id 8DFEA6D002
for <…….@hotmail.com>; Sat, 10 Dec 2011 20:21:29 +0900 (JST)
Received: from DTI-Autodesk.dtillc.local (unknown [173.200.119.242])
by ms.shinyei-ship.co.jp (Postfix) with ESMTP id 224806D009
for <……@hotmail.com>; Sat, 10 Dec 2011 20:21:28 +0900 (JST)
X-Binding: red
type: birthday
Subject: *WindowsLive*: E-mail Alert! Dec 10 , 2011
Priority:Normal
From: _HoTmail.Sign.Error@hoterr-srv214.202.222.24.32.uk._>
X-Verification: Verified by 89.242.78.231
Date: Sat, 10 Dec 2011 05:21:24 Central Standard Time
XData: 1010,449yQQ4@Qy94@K9t9@i-Wwjq-e
X-ConvioDeliveryGroup: poola
X-EMV-Platform: p4cce.campaigncommander.com$
x-virtual-mta: vmta04
To: …..@hotmail.com
 (is changed by me intentionally)X-Priority: 1
Content-Type: text/html
X-PHP-Script: www.heartsdirect.co.uk/admin/news.php for 86.186.137.18
X-EMV-MemberId: 126505126$
X-Mailer-Revision: 100
Mime-Version: 1.0
X-EMV-CampagneId: 533228$
X-Tag: bulletin,bulk,false,email
Content-Transfer-Encoding: 7bit
X-Originating-IP: [78.25.158.230]
X-Log-Id: 98700779571
Message-ID: <f805fe9cfaf2504e3a11a920b66f036b@mobiles3.amoureux.com>Precedence: List
X-Gateway: c3poola1
Return-Path: azadrammultu@verizan.net
X-OriginalArrivalTime: 10 Dec 2011 11:21:30.0549 (UTC) FILETIME=[DD8F9E50:01CCB72D]

It seems that the following IP addresses are involved in this phishing attacks

IP Information for 78.25.158.230 which is originated from Russian Federation Moscow Cjsc Kolomna-sviaz Tv
IP Information for 86.186.137.18 belongs to United KingdomBt Public Internet Service
IP Information for 202.222.24.30 s from Japan Hyperbox Co. Ltd

Comments are most welcome

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s