Phishing attacks towards Hotmail users today

Everybody realize tat people are stressed before long holidays and this fact is also known by people who try to get richer by fooling innocent ordinary users.

A friend of mine called me and asked me about an email she got today from “hotmail”. I found this email was a new “phishing” attack.  The email was sent by and requesting the hotmil user to correct some necessary personal data by clicking a link (picture 1).

Phishing attack to Hotmail susers, Dec. 10 2011
(Picture 1) Phishing attack to Hotmail susers, Dec. 10 2011

If you received such an email ten you should just delete it without doing anything.

You are welcome to continue reading if you are interested in more information about this “phishing” attack

The link shows:

but the real URL leading to the following web page

Phishing attack to Hotmail susers, Dec. 10 2011
(Picture 2) Phishing attack to Hotmail susers, Dec. 10 2011

and the user gets something pretty much like the Microsoft live web page (Picture 2):

Since the user is requested to logon and correct the information the sign in procedure goes directly to


Now the user’s userid and password for Hotmail are compromised

Here are some more detalis about this phishing attack:

Authentication-Results:; sender-id=temperror (sender IP is; dkim=none>; x-hmca=none
X-Message-Status: n:0:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: NhFq/7gR1vRIrLRdm91QQUAEFk+Mrrr5vfoyCMSpgYSN55t6ndSz/S502EUwmlWPIU0E8nLQPnVpGI8MNgou75PUMv4hQHt313Ypu0CQIVwtLMjk/wD+jnuaZYdnm8Us
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4900);
Sat, 10 Dec 2011 03:21:30 -0800
Received: from localhost (localhost [])
by (Postfix) with ESMTP id 8DFEA6D002
for <……>; Sat, 10 Dec 2011 20:21:29 +0900 (JST)
Received: from DTI-Autodesk.dtillc.local (unknown [])
by (Postfix) with ESMTP id 224806D009
for <……>; Sat, 10 Dec 2011 20:21:28 +0900 (JST)
X-Binding: red
type: birthday
Subject: *WindowsLive*: E-mail Alert! Dec 10 , 2011
X-Verification: Verified by
Date: Sat, 10 Dec 2011 05:21:24 Central Standard Time
XData: 1010,449yQQ4@Qy94@K9t9@i-Wwjq-e
X-ConvioDeliveryGroup: poola
x-virtual-mta: vmta04
To: …
 (is changed by me intentionally)X-Priority: 1
Content-Type: text/html
X-PHP-Script: for
X-EMV-MemberId: 126505126$
X-Mailer-Revision: 100
Mime-Version: 1.0
X-EMV-CampagneId: 533228$
X-Tag: bulletin,bulk,false,email
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
X-Log-Id: 98700779571
Message-ID: <>Precedence: List
X-Gateway: c3poola1
X-OriginalArrivalTime: 10 Dec 2011 11:21:30.0549 (UTC) FILETIME=[DD8F9E50:01CCB72D]

It seems that the following IP addresses are involved in this phishing attacks

IP Information for which is originated from Russian Federation Moscow Cjsc Kolomna-sviaz Tv
IP Information for belongs to United KingdomBt Public Internet Service
IP Information for s from Japan Hyperbox Co. Ltd

Comments are most welcome


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s