Spambots stealing GMail and Hotmail passwords?

I just received this mail from a friend:

Dear friend

Welcome to stwoxy.com ! We are one of the largest electronic distributors and wholesalers in Beijing China. We offer qualified digital products: Motorcycles?TVs, Notebooks, phones. PSP, projectors, GPS, DVD, DV, DC, MP3/4 and so on, which are of world famous brands, such as Sony, IBM, PHILIPS, NOKIA, DELL and so on. All our items are brand new from the manufactures and they come with 1-3 years’ after service. These days we are expanding our overseas market, and every item is sold in extremely low price. Such chances should never be missed, ladies and gentlemen, do come to stwoxy.com! you will surely have a big surprise! We are looking forward to hearing from you!

It was sent from a HTTP connection into GMail, and was delivered from there using valid DKIM, Domain Keys and SPF signatures. In addition, it was sent to all the addresses in his address book. In other words, this was no run-of-the-mill impersonation spam — for this one, the spammer obtained my friend’s username and password somehow, logged into GMail, scraped the address book, and then sent spam via GMail that way.

My friend says he didn’t access GMail using a desktop mail client, but did have his Google password saved in his web browser (a pretty typical configuration). My theory is that some virus/malware has infected his desktop machine, captured the saved-passwords file from the web browser configuration, and used that to log into GMail. Alternatively, it could also be a guessable username and password which was picked up via dictionary attack, I guess…

This is the first case I’ve heard of where spammers are actively stealing user account authentication tokens, in order to take over the accounts for spamming. (We’d long predicted it, of course, since it’s a natural response to “pay for mail” schemes… but since there’s no widely-used pay-for-mail system available yet, it’s premature!)

It seems this is not just a GMail thing, btw. Here’s a report of the same thing happening to some French guy via HotMail last month (or in english). I don’t speak Dutch, but this forum post looks like it might be the same situation.

If you’re curious, here’s a copy of the spam, delivered to a Yahoo! group; it appears these spammers aren’t too sophisticated in terms of the text they’re sending, since they haven’t morphed that text, HTML, or even the domain in the link yet. It’s just the malware that’s sophisticated, at this stage.

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

44 Comments

  1. Posted December 21, 2007 at 18:01 | Permalink

    Another guess for where “they” got his credentials: One of the many sites that offers to scan your GMail contacts list and invite your friends. Only a matter of time until phishers start using that anti-pattern.

  2. hillu
    Posted December 21, 2007 at 18:54 | Permalink

    Various malware strains have been stealing passwords for some time now, some even leaking every POST request to their masters. The bad guys’ problem is that, this being the web, they need somebody to write code to process essentially free-form data for the different web services.

  3. Posted December 21, 2007 at 19:17 | Permalink

    “It’s just the malware that’s sophisticated, at this stage.”

    So I wonder if there’s an off the shelf app doing all the heavy lifting and being operated by semi-literate spammers..

  4. Posted December 21, 2007 at 19:35 | Permalink

    Yes, the dutch one is same case:

    Spam being sent from their hotmail account. They changed their password to one that hotmail says is very strong. Anti-Virus products didn’t find anything but anti-spyware tools found a bunch of stuff. The tools were unable to ‘repair’ 4 of the spyware infestations found (see original comment for list).

    None of that helped, cause within days (at most) their hotmail spam-sending problem apparently returned.

  5. Posted December 21, 2007 at 20:58 | Permalink
  6. Posted December 21, 2007 at 23:57 | Permalink

    Just noticed this on planet gnome: http://blogs.gnome.org/sudaltsov/2007/12/21/apologies/

  7. Posted December 24, 2007 at 01:28 | Permalink

    Justin were you in Sergey’s gmail address book? Here he speculates how the attack happened: http://blogs.gnome.org/sudaltsov/2007/12/23/google-wtf/

  8. Posted December 28, 2007 at 17:00 | Permalink

    Padraig — no, this wasn’t Sergey I’m talking about.

    Bit of a mini-epidemic going on, from the sounds of things! scary stuff.

    If it was only GMail, I’d surmise it might be something to do with the cross-site referrer forgery hole which was actively being exploited to steal accounts recently; but Hotmail and Y! Mail as well makes that unlikely to be it alone.

    @Donncha — yes, typically in most cases spamware and malware command+control is smart software being run by not-so-smart people ;) I’d say that’s the case here.

  9. Alice
    Posted January 12, 2008 at 10:22 | Permalink

    Are there any reports of a hotmail account being used as a ‘spambot’ to spam out to email addresses NOT in the contact list? i.e. generated emails addresses?

  10. Posted January 15, 2008 at 13:13 | Permalink

    Alice: I haven’t yet heard of that happening.

  11. Posted January 15, 2008 at 13:18 | Permalink

    This thread on the GMail-ABCs forum is full of people who this is happening to.

    One notes: ‘The spam message referred to a Chinese web site selling electronics – Electron Store at http://www.comobiletvupdate.com‘. a new site to add to the list….

  12. Posted February 21, 2008 at 13:58 | Permalink

    Sergey’s case seems to have been the same company (or a related one):

    ‘My spam had first lines:

    We are a wholesaler which deal with electronic products, such as: Mobile,TV,PC,DV,DC,games,MP3 Even motorcycles and musical instruments. Delivering our items by EMS to our customers around the world, The link pointed to the site www dot ems dot com dot cn’

  13. John Hosken
    Posted April 8, 2008 at 09:41 | Permalink

    Hi

    I got the Beijing spam today, adorned with an eBay logo, oddly enough.

    I think it happened because, for the first time on Sunday, I set Hotmail to open the mailbox automatically. With luck, resetting the password and not setting the account so it askes for my passowrd every time will fix this, unless they have downloaded all my contacts (unlikely, but not impossible). I have had dozens of bouncebacks, so many people’s spamcatchers are efficient and up to date. It’s not as bad as getting physically burgled, but it is annoying nonetheless, and the contacts who received the spam will think I am a bit of a fool, or worse, but hey – nobody died…

  14. mike
    Posted May 7, 2008 at 07:26 | Permalink

    My friend just got her hotmail account compromised and all her contacts were sent a spam from her. It was a generic request to visit a European consumer electronics shop. The things that narrows her case down are these: She doesn’t use pop mail at all. She only uses web based hotmail. She works on only newer macs. That kind of (but not completely) rules out a virus. Probably not a compromised browser. I’m wondering if a script ran a brute force attack on her password. They would have to know her login/email address from the start though. Judging from her password a brute force would take a few days. That seems like a lot of resources to dedicate to one crack and resulting in only one round of contact spamming.

  15. ice_cold_irony
    Posted May 22, 2008 at 16:41 | Permalink

    This has just happened to my Grandma…but on a PowerPC Mac Mini. Is there a way to fix this short of starting a new account? I really hope so, she’s 80 and easily confused. She uses Eudora I think, and if Mike’s friend is running an Intel Mac then it probably is web based.

  16. Posted May 23, 2008 at 10:02 | Permalink

    @ice_cold_irony – I think she can keep the existing account. Just change the password to something much harder to guess, and check all the settings (especially mail forwarding, password reminders, etc.) to ensure they’re not leaking info or set up to be a back door in future. I think you’ll have to help her there… ;)

  17. Hellodan
    Posted May 23, 2008 at 13:30 | Permalink

    I’ve had the same issue just begin yesterday. All computers have been scanned for viruses/spyware/malware, passwords changed to strong, i deleted my contacts list (and forgot to export it first so its all gone now :*( ) But hope that sorts it out.

    Only access Gmail through web, running on PCs, not many viruses or malware or spyware found. What i did find was a keylogger on one of my pcs. Hope this problem goes away soon. =/

    Since i store passwords for other things (website, other emails, forum accounts, etc) on gmail as well, should i go and change them all? (there are SO many of them)

  18. Posted May 23, 2008 at 13:47 | Permalink

    @Hellodan – I would definitely recommend changing those passwords. Sorry :(

  19. Zoe Oliver
    Posted June 16, 2008 at 21:21 | Permalink

    The same thing just happened to me, emailing all of my work colleagues from my hotmail account. Spam began:

    Dear friend: We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

    My hotmail password wasn’t easy and I was not set to login automatically..password still required every time. This is the SECOND time that this has happened….I have essentially just deleted all my Hotmail contacts and I will cease to use hotmail.

    I read another theory that somehow they are exploiting inactive eBay accounts , or Facebook accounts.

    Does anyone know?

    Zoe

  20. ice_cold_irony
    Posted June 17, 2008 at 03:37 | Permalink

    It’s seems that it has nothing to do with you email account being compromised, at least in my Grandma’s case. It doesn’t harvest any contact info it just puts your address as the Return Addy. For my Gram a couple of days after I posted this the Returns just dried up. Sputtered off over a few days. A girl I know had the same thing happen to her Hotmail account and again it just seemed to dry up. So it seems that someone has written a script to harvest email addresses from god knows where and when a spam filter rejects the message it comes back to you. How I explained it to my Gram, some wierdo is sending flyers out in the mail, but putting your address as the return, people say “this is junk” stick it back in the mail, and it goes back to your house. Not an elegant explanation but it works for non techies.

  21. Posted June 17, 2008 at 09:45 | Permalink

    @ice_cold_irony: that’s entirely different — what you’re talking about is called “backscatter”.

    http://spamlinks.net/prevent-secure-backscatter.htm

  22. João Correia
    Posted June 19, 2008 at 08:42 | Permalink

    People, I’ve just discovered the problem for this all.

    GMail has a “Vacation Mode”. Quoting: “sends an automated reply to incoming messages. If a contact sends you several messages, this automated reply will be sent at most once every 4 days”.

    This spambot turns that “Vacation Mode” ON. Somehow they were able to get my password to turn that ON!

    To fix this, change your Google Account password and then go to GMail Settings, General tab and turn Vacation Mode OFF. That’s all!

    PS: Sorry my English, not my first language :)

  23. Jerome
    Posted July 2, 2008 at 18:09 | Permalink

    This has happened to someone at work, vacation mode turned on and spam sent out as an auto-reply. Any info on how to prevent this from happenening again?

  24. Bren808
    Posted July 14, 2008 at 00:04 | Permalink

    No, it’s not due to vacation mode and it’s not just a gmail issue because I just had it happen in my hotmail account without the vacation mode being touched.

  25. kc
    Posted July 25, 2008 at 17:04 | Permalink

    The following email was sent to my entire contact list today. A few email addresses I don’t recognize, but maybe I just don’t remember emailing them. All in the “To:” field. Nothing in the sent box.

    I don’t click on random links or share my password, or reset anything I didn’t initiate. I just did a spyware scan on my home machine yesterday and I use Ubuntu at work. I did use the import friends from Gmail thing on Facebook a few weeks ago, which requires entering your email and password, and presumably Facebook accessing your address book.

    Changed my password, not sure what else to do.

    ================

    Home | Products | Payment | Shipping | Contact us | News | Feedback | Register | Currency Converter

    Dear friend:

    We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

    Please visit our website: http://www.Store-168.com

    Email :Store0168@yahoo.com

    MSN : Store1.68@hotmail.com

    Looking forward to your contact and long cooperation with us! Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on. Welcome to visit our website!

  26. Theodore
    Posted October 6, 2008 at 00:55 | Permalink

    This incident happened on my Hotmail account. My antivirus discovered a trojan from a specific application (http://www.download.com/3642-20_4-3010990.html?sb=3) that i hadn’t used for days. Apart from that, i suspect 3rd party tools that we use to access messenger from, like trillian, agile messenger and so on… Any thoughts on that?

  27. Gene
    Posted October 16, 2008 at 12:44 | Permalink

    I have received the email now,,,any body knows how to get rid of it?

  28. Jon
    Posted October 18, 2008 at 20:25 | Permalink

    My gmail just got hijacked, and I’m actually impressed since I’m very security conscious (always use https, don’t save passwords, use Firefox, etc.) – this is the first time anyone’s been able to hack any of my accounts.

    Some lamer just sent this spam to my entire addressbook promoting qqvok.com

    We are wholesale company which can offer you laptops, digital cameras, videos, GPS?cell phone, mp4, game console and many other electron products. We can offer you both highest quality products and best price. Also we could give you favorable discount if you order more. All of our products are brand new and original; if you need any help, please contact us.

    MSN: qqokv@hotmail.com / qqokv@yahoo.cn

    E-mail: qqokv@yahoo.cn

    How embarrassing. The surprising thing is the IP address was 10.181.32.14 which according to the RFCs is reserved. Weird.

    Be nice if the Chinese government tracked down the idiots responsible and put them up against the wall in their quaint, backwards, yet effective fashion…

  29. Steve
    Posted October 23, 2008 at 00:16 | Permalink

    Just had exactly the same problem with my hotmail account!

    Something or Someone managed to turn hotmails vacation mode on, Sending out SPAM email sent to all contacts, Promoting

    “Heya,how are you doing recently ? I would like to introduce you a very good company which i knew.Their website is http://www.epurchasenet.com .They can offer you all kinds of electronical products which you need like laptops ,gps ,TV LCD,cell phones,ps3,MP3/4,motorcycles etc……..Please take some time to have a check ,there must be somethings you ‘d like to purchase . Their contact email: epurchasenet@188.com. MSN: e_purchasenet@hotmail.com Hope you have a good mood in shopping from their company !”

    like other comments above i regard myself as quite security conscious. Using Firefox 3 on Brand New Intel iMac. Cannot work out what it could be, Norton Antivirus comes up with negative scans and this mac is only a week old, not visited any warez websites or downloaded anything dodgy. This seems very strange. Need to find a solution.

    Incase anyones interested Hotmail traced the source IP as 60.10.209.218 Which Whois traces to asia.

  30. Alan
    Posted November 13, 2008 at 15:08 | Permalink

    I have had my hotmail account hacked today in the same fashion. I can’t believe that I have trawled the internet and NO one can find a straight answer with evidence as to what this is. I have done virus scans with Avast which have found nothing. I have changed my hotmail password but am wondering is this going to happen again?

    Can anyone shed any more light on this?

    Thanks

  31. Zoe
    Posted November 13, 2008 at 17:41 | Permalink

    Alan: It happened to me twice through my hotmail account: once on a PC and once on a Mac. It was embarrassing as it sent the email to my superiors at work, students, etc…

    I am not extremely literate, but like you, I could not find a solution on the internet. Talking to the tekkies at my computer store, the two pieces of advice I got were: 1) Change your hotmail password to something really difficult to hack OR 2) Delete your hotmail account altogether. I couldn’t really do this entirely as it would have been a logisitical nightmare, so instead I opened a more secure mac email account, and deleted all the contacts from my hotmail after transferring them to the mac. No problems since.

    Good luck.

  32. kevin
    Posted November 14, 2008 at 19:19 | Permalink

    I had the same spam-problem two times this week. A “wholesaler” spam message was sent from my hotmail-account to all my contacts in my hotmail contact list. Very embarrasing.

    Now here something interesting…

    1. I use Outlook to access my hotmail, I’m not using webmail. So, at the time of sending my Outlook was open.
    2. I opened the website http://www.opensubtitles.org at the same time the e-mail was sent. Twice.

    For me it is obvious that opening this specific website, or any javascript or banner-add is the cause of the spam e-mail. But some weeks before, opening opensubitles.org was not a problem. Where is the root cause then?

  33. Posted December 13, 2008 at 23:25 | Permalink

    To you all, avoiding identity and password theft is easy. Complex and different passwords should be used for all accounts. Also we should keep in practice changing our passwords every week or every fortnight. For these use a safe password manager. I use a safe and secure password manager like EXQUIPASS to remember those complex passwords for me. I prefer Exquipass since it is straight forward and secure. Link for this is: http://www.exquisysltd.com/productinfo.php?p=DA01EX With a tool like Exquipass, you can leave your password file everywhere, nobody will be able to get your passwords even if it is left on your computer. It strongly encrypts all your sensitive data. Carry your password files everywhere you want or leave it anywhere you want, your sensitive credential details will always be safe. Don’t let hackers gain over you!!!

  34. l
    Posted April 1, 2009 at 02:41 | Permalink

    got the same issue here. On the hotmail accout. It is an unguessable generated password. I am pretty security conscious. No idea how it was guessed.

    Heya,how are you doing recently ? I would like to introduce you a very good company which i knew.Their website is .They can offer you all kinds of electronical products which you need like laptops ,gps ,TV LCD,cell phones,ps3,MP3/4,motorcycles etc……..Please take some time to have a check ,there must be somethings you ‘d like to purchase .

    My guess, may be the provider is compromised. Hotmail, google or Yahoo employees/contractors leaked out a lot of accounts. Is that possible?

  35. krish
    Posted April 16, 2009 at 22:30 | Permalink

    It’s happened to my friend hotmail account. The mail was sent to his all hotmail address book members. Any solutions to prevent this.

  36. baltimore
    Posted May 8, 2009 at 22:23 | Permalink

    It happened to me today with Yahoo mail. Hundreds of mails sent with similar message. It took over both vacation message AND the signature page. I did not have vacation turned on. I have an antivirys and spyware running constantly (zonealarm) and it didn’t catch it (although there is a similar email quarantined under phishing, it still let it run- i think this came in this mornig. i changed the password and deleted all the files and it seems to be ok for the rest of the day but i have no confidence in it staying spam free. And i do not like entering my email in this site…

  37. cart
    Posted May 12, 2009 at 11:01 | Permalink

    Hi–

    I set Hotmail to open the mailbox automatically. With luck, resetting the password and not setting the account so it askes for my passowrd every time will fix this, unless they have downloaded all my contacts (unlikely, but not impossible). I have had dozens of bouncebacks, so many people’s spamcatchers are efficient and up to date.

    cart Hotmail

  38. martin
    Posted May 21, 2009 at 16:24 | Permalink

    I’ve just had the same thing happen.

    “Dear friend: how are you doing recently ? I would like to introduce you a very good company which i knew.They can offer you all kinds of electronical products which you need, such as motorcycles, laptops, mobile phones, digial cameras, TV LCD, xbox, ps3, gps, MP3/4, etc. Please take some time to have a look at it,there must be something you’d like to purchase. the website: shop-2009.com Their Email: shop09@188.com Hope you have a good mood in shopping from their company!”

    I’ve just changed my password and deleted almost all of my contacts so that nothing more gets sent to them. Any other or better ideas?

  39. Sandy
    Posted July 2, 2009 at 16:08 | Permalink

    Here is their site reg. info. I can’t beleive this has been going on for two years from the same group.

    Domain Name: GROUPSALE.NET Registrar: XIN NET TECHNOLOGY CORPORATION Whois Server: whois.paycenter.com.cn Referral URL: http://www.xinnet.com Name Server: NS.XINNET.CN Name Server: NS.XINNETDNS.COM Status: ok Updated Date: 29-jun-2009 Creation Date: 29-jun-2009 Expiration Date: 29-jun-2010

  40. Dee Lucas
    Posted August 31, 2009 at 20:05 | Permalink

    So does anyone have a fix for this? I noticed in my hotmail that when I click on new in Hotmail it opens up a message with the ‘spam’ message it sent out as the content.

    D

  41. Dee Lucas
    Posted August 31, 2009 at 20:08 | Permalink

    Ok, it had added the message as a signature which I have now removed but no saying it won’t happen again.

  42. Tanya
    Posted September 15, 2009 at 14:19 | Permalink

    Has anyone thought of suing??

  43. Tanya
    Posted September 15, 2009 at 14:20 | Permalink

    HAS ANYONE THOUGHT OF SUING???

  44. Odie
    Posted October 6, 2009 at 11:24 | Permalink

    Maybe we should just flood ping that site they mentioned to death. If it dies, then there will be no point in spamming us with that site again.