How Did my Hotmail get Hacked?

GroupDIY Audio Forum

Help Support GroupDIY Audio Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

thermionic

Well-known member
Joined
Jun 3, 2004
Messages
1,671
Hi,

I was pretty horrified to find today that everyone in my Hotmail contact list has been sent an email, supposedly from me, offering them Viagra. Although there's no danger they'll think I'm behind it (well, the music business has had better times...) I feel pretty embarrassed. It looks like I must be an idiot to let my account get hacked...

I've never responded to a 'phishing' email. I've never given my password to anyone. I always log in via a secure link, ensuring the padlock is in the corner of the screen. When I log in via the mobile, I always use a secure connection. My AV software doesn't say my machine is contaminated. I have multiple firewalls - soft and hardware.

So, how did I get hacked? Google suggests this is common, in exactly the same way. I've changed password. How did they do it?

Justin
 
I use a program called PeerBlock that blocks any IP addresses pinging your computer...prospective hackers sometimes but usually information bots, trying to see what your looking up for commercial or whatever purposes.

Interestingly enough it tells you who is looking at your computer and things like Korea and China and Cambodia governments seem to come up quite often...

I don't know if its just me (I hope not!) but it seems these governments are making the most of the web...
 
who is to say they hacked your e-mail only. For all intensive purposes they could have just stole your email address and generated an e-mail with that address and sent it out... I have seen it done before. In fact I have gotten a few Viagra e-mails from my email to me. go figure. I don't know how to fix it but it is common.
 
The fact that somebody else got a mail that looks like it comes from your address, doesn't necessarily mean somebody was inside your mail account. There used to be ways to make it look as if you (or whoever) were the sender, not so sure if it's still that easy nowadays...
 
Same here.
Same people selling viagra....
Send e-mails to me the same way.

Dont know what to do.

Thanks.
 
My yahoo account got hacked.  Luckily i noticed it after only one email was sent.  It wasn't just a header, I saw the message in my outbox.  

I changed everyone of my passwords after that.  Ebay, Paypal, forums, facebook, flickr, etc.  Better sort of safe than sorry.  
 
The emails were in my 'sent' box - it was a proper hack job. Another 2 suspicions:

I changed mobile provider recently and have started, for the first time in 7 yrs, getting spam texts - offering viagra etc. Maybe the newer Three mobile is less scrupulous than previous firm?

Most websites make me 'sign up' for a membership to buy one-off items theses days. I may have used same pword for one of these... If they hack the database, there's a strong chance many  users have same pword for email as site... I have different pwords for my credit cards etc - but I don't put much effort into ones for one-off sales. I think the policy stinks - I just want a one-off buy, not a 'membership'.

J

 
There are some nasty hacks out there these days...  One I've been learning about is the XSS vulnerability. XSS is cross site scripting, and most of the places that you go everyday are vulnerable.  Stop Google searching for starters, as that opens you up to everything. I use Scroogle as a proxy for my Google searches now. The problem that I see a lot is that nobody hosts their own advertising, so they are not in control of scripts that are being presented from their page.  Doesn't take much to get malicious code running on your machine that can grab all of your transactions.

My current solution is to run Windows Virtual Machines for different online activities, one for searching and general surfing, one for banking and secure transactions, one for 'other' stuff.  If anything looks suspicious you can blow away the virtual machine and create a new one painlessly. The different machines don't have any awareness of each other and cannot share code. Your real machine is safe as long as you have not surfed with it or read email, and are careful with file transfers.

The waters are full of sharks and the corporations are feeding them as they seek to monetize your surfing.
 
> mail that looks like it comes from your address, doesn't necessarily mean somebody was inside your mail account.

No, probably someone WAS "at his desk":

> everyone in my Hotmail contact list

Either the account password was guessed; or someone had a copy of an email to "all my friends".

Something like that happened to a friend's gMail last week. "Chris" sent me:
I have good news for you. Last week
I have Order china 6 Products Philips 52PFL9703D/10 LCD TV 52
w e b: XXXXXXX.XXX I have received the product!
It's amazing! The item is original, brand new and has high quality,
but it's muc cheaper. I'm pleased to share this good news with you!

I knew this could not be Chris--- he's too-too nice, he can spell english good as me, he's not a gear-freak, and he hardly uses email. He certainly would not CC me on any mass-mailing which might have fallen into the wrong hands. Someone got into his gMail and used his address-book. I advised him to change his password.

> There used to be ways to make it look as if you (or whoever) were the sender, not so sure if it's still that easy nowadays...

It is mechanically trivial.

When you put paper-mail in the post-box, do they check what is on the return address?

Even when we had mail-bombs, and package senders had to show ID, that ID did not have to match the return address on the package. (You could be mailing it for your mom, or your boss.)

email is about the same. These days you generally need credentials to put mail into a mail server (when sending, your emailer logs-in with user-ID and password) but the FROM can be whatever you want.

(Some mail-servers will note the login ID in a special header; OTOH headers can be forged.)

"Normal" mail clients like ThunderBird, Outlook, Eudora, Mac Mail, pine, et al, streamline your account setup with the assumption that you will "honestly" set the FROM equal to the account info. Obviously specialized spam software takes TO and FROM and SUBject and body from files, not from setup data.
 
If Hotmail freezes you out after 5 attempts, how could a piece of software generate the right code? Mine was 8 characters long - what's the probability there?

A much more plausible explanation is that one of the sites I 'joined' (i.e. I bought something from them, and they *forced* me to 'join' their site to process my order) got hacked. The bot harvested my email and password, and then tried my email, on the basis that my pword *might* be the same. I'd never use the same pword for my financial stuff, but I have a 'general' password for non-financial sites such as forums.

A pet supplies site my mother 'joined' a while back got hacked. All her friends, me included, got emails supposedly from her (unlike my situation, where the emails were actually in my hotmail sent folder). I could prove it was the pet supplies site 100%.

J
 
Any site that has a password sent in a non-encrypted fashion will be subject to visibility by any network interfaces that are on the route between host and destination.

If any system in that path has been compromised such that a network interface can be placed in promiscuous mode, any traffic that hits the network interface is available for viewing.

In essence they don't need to guess your password, they captured you entering it.

Or so I read in a spy novel once, as I don't know anything about computers  :p
 
A lot of people like to broadcast all their network activity to anyone in the surrounding area by using unencrypted wi-fi links. Not saying you're one of them, just that this is a common way of stealing login details and other data. Look at the trouble Google got in with their monitoring of wi-fi connections from Street View vehicles.

Wireless keyboards can be a risk too because on most of them the key stroke data can't be encrypted even if you want to. Every time you type a password or credit card number on one of these you're broadcasting the key strokes.
 
Does Hotmail actually freeze you out after five attempts, or does it just present you with a CAPTCHA? There are automated scripts now that can read these, so they're not really a defense against password guessing programs. A really strong password improves your chances considerably.
 
IIRC, Hotmail freezes you out for 24 hours.

I use WEP encryption for home wireless. I never log in without a padlock symbol.

The firm doing the spamming had a dot.ar (Argentina) address. Unless anyone's got a better idea, I reckon this is due to a 'membership' being hacked at a website where I was clumsy enough to use the same pword as my email addy. Only today, I wanted to buy some running shoes and a firm wanted me to sign up for a 'membership'. I'm getting really sick of this. I just want to pay and get out of there. Next time I'll just find another firm to buy from.

My second suspicion would be a mobile thing; I never got spam texts until I joined Three...I don't trust  them.

J
 
thermionic said:
Unless anyone's got a better idea, I reckon this is due to a 'membership' being hacked at a website where I was clumsy enough to use the same pword as my email addy.
That sounds quite possible. I never use an important password for that kind of thing. I routinely use unique email addresses when I sign up to online shopping sites, and quite often I suddenly start getting unrelated spam sent to those addresses. This is either because there are so many compromised computers in firms these days, or there are employees who see nothing wrong in earning a bit of extra cash from selling their employers' email lists to spammers.

No matter how careful you are, you are still relying on anyone receiving your data to be just as careful with it as you are. Unfortunately that isn't something you can take for granted.
 
My wifes was just hacked also.
She used it for a general purpose email box so she just canceled it.
Hotmail and yahoo used to get hacked into by a virus on your pc looking at your password and sending it home.
Now they are getting hacked directly.
 
Guess what? It got hacked again. It doesn't appear that anyone got spammed this time. I suspect they were looking to harvest personal info, so am a little worried.

I'm not sure how I could've made a more complex password. It had underscores and a combination of letters / numerals. I recently listened to a programme on email hacking. Apparently, the software (which is perfectly legal to sell...) can hack any password in under 2 seconds.

Why is Hotmail so vulnerable? I repeatedly ask again (no one could answer this...): if other companies freeze you out after several attempts, why can the hackers who target Hotmail obtain several billion attempts?

From what I learnt on the radio programme, no password can stop them. The software will throw any character permitted into a string until it works.

At some point I'll just cancel my 10 year old Hotmail account. It's just too stressful.
 
Back
Top