Everybody realize tat people are stressed before long holidays and this fact is also known by people who try to get richer by fooling innocent ordinary users.
A friend of mine called me and asked me about an email she got today from “hotmail”. I found this email was a new “phishing” attack. The email was sent by
_HoTmail.Sign.Error@hoterr-srv184.108.40.206.32.uk._ and requesting the hotmil user to correct some necessary personal data by clicking a link (picture 1).
If you received such an email ten you should just delete it without doing anything.
You are welcome to continue reading if you are interested in more information about this “phishing” attack
The link shows: https://login.hotmail.com/wlive05192/windwoslive52111/login_verify2?puser=....@hotmail.com
but the real URL leading to the following web page
and the user gets something pretty much like the Microsoft live web page (Picture 2):
Since the user is requested to logon and correct the information the sign in procedure goes directly to
Now the user’s userid and password for Hotmail are compromised
Here are some more detalis about this phishing attack:
x-store-info:sbevkl2QZR7OXo7WID5ZcVBK1Phj2jX/ Authentication-Results: hotmail.com; sender-id=temperror (sender IP is 220.127.116.11) header.from=_HoTmail.Sign.Error@hoterr-srv18.104.22.168.32.uk._; dkim=none header.d=hoterr-srv22.214.171.124.32.uk._>; x-hmca=none X-Message-Status: n:0:n X-SID-PRA: _HoTmail.Sign.Error@hoterr-srv126.96.36.199.32.uk._X-DKIM-Result: None X-AUTH-Result: NONE X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w X-Message-Info: NhFq/7gR1vRIrLRdm91QQUAEFk+Mrrr5vfoyCMSpgYSN55t6ndSz/S502EUwmlWPIU0E8nLQPnVpGI8MNgou75PUMv4hQHt313Ypu0CQIVwtLMjk/wD+jnuaZYdnm8Us Received: from ms.shinyei-ship.co.jp ([188.8.131.52]) by COL0-MC4-F25.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Sat, 10 Dec 2011 03:21:30 -0800 Received: from localhost (localhost [127.0.0.1]) by ms.shinyei-ship.co.jp (Postfix) with ESMTP id 8DFEA6D002 for <…….@hotmail.com>; Sat, 10 Dec 2011 20:21:29 +0900 (JST) Received: from DTI-Autodesk.dtillc.local (unknown [184.108.40.206]) by ms.shinyei-ship.co.jp (Postfix) with ESMTP id 224806D009 for <……@hotmail.com>; Sat, 10 Dec 2011 20:21:28 +0900 (JST) X-Binding: red type: birthday Subject: *WindowsLive*: E-mail Alert! Dec 10 , 2011 Priority:Normal From: _HoTmail.Sign.Error@hoterr-srv220.127.116.11.32.uk._> X-Verification: Verified by 18.104.22.168 Date: Sat, 10 Dec 2011 05:21:24 Central Standard Time XData: 1010,449yQQ4@Qy94@K9t9@i-Wwjq-e X-ConvioDeliveryGroup: poola X-EMV-Platform: p4cce.campaigncommander.com$ x-virtual-mta: vmta04 To: …..@hotmail.com (is changed by me intentionally)X-Priority: 1 Content-Type: text/html X-PHP-Script: www.heartsdirect.co.uk/admin/news.php for 22.214.171.124 X-EMV-MemberId: 126505126$ X-Mailer-Revision: 100 Mime-Version: 1.0 X-EMV-CampagneId: 533228$ X-Tag: bulletin,bulk,false,email Content-Transfer-Encoding: 7bit X-Originating-IP: [126.96.36.199] X-Log-Id: 98700779571 Message-ID: <firstname.lastname@example.org>Precedence: List X-Gateway: c3poola1 Return-Path: email@example.com X-OriginalArrivalTime: 10 Dec 2011 11:21:30.0549 (UTC) FILETIME=[DD8F9E50:01CCB72D]
It seems that the following IP addresses are involved in this phishing attacks
IP Information for 188.8.131.52 which is originated from Russian Federation Moscow Cjsc Kolomna-sviaz Tv
IP Information for 184.108.40.206 belongs to United KingdomBt Public Internet Service
IP Information for 220.127.116.11 s from Japan Hyperbox Co. Ltd
Comments are most welcome