I just received this mail from a friend:
Dear friend
Welcome to stwoxy.com ! We are one of the largest electronic distributors and wholesalers in Beijing China. We offer qualified digital products: Motorcycles?TVs, Notebooks, phones. PSP, projectors, GPS, DVD, DV, DC, MP3/4 and so on, which are of world famous brands, such as Sony, IBM, PHILIPS, NOKIA, DELL and so on. All our items are brand new from the manufactures and they come with 1-3 years’ after service. These days we are expanding our overseas market, and every item is sold in extremely low price. Such chances should never be missed, ladies and gentlemen, do come to stwoxy.com! you will surely have a big surprise! We are looking forward to hearing from you!
It was sent from a HTTP connection into GMail, and was delivered from there using valid DKIM, Domain Keys and SPF signatures. In addition, it was sent to all the addresses in his address book. In other words, this was no run-of-the-mill impersonation spam — for this one, the spammer obtained my friend’s username and password somehow, logged into GMail, scraped the address book, and then sent spam via GMail that way.
My friend says he didn’t access GMail using a desktop mail client, but did have his Google password saved in his web browser (a pretty typical configuration). My theory is that some virus/malware has infected his desktop machine, captured the saved-passwords file from the web browser configuration, and used that to log into GMail. Alternatively, it could also be a guessable username and password which was picked up via dictionary attack, I guess…
This is the first case I’ve heard of where spammers are actively stealing user account authentication tokens, in order to take over the accounts for spamming. (We’d long predicted it, of course, since it’s a natural response to “pay for mail” schemes… but since there’s no widely-used pay-for-mail system available yet, it’s premature!)
It seems this is not just a GMail thing, btw. Here’s a report of the same thing happening to some French guy via HotMail last month (or in english). I don’t speak Dutch, but this forum post looks like it might be the same situation.
If you’re curious, here’s a copy of the spam, delivered to a Yahoo! group; it appears these spammers aren’t too sophisticated in terms of the text they’re sending, since they haven’t morphed that text, HTML, or even the domain in the link yet. It’s just the malware that’s sophisticated, at this stage.
44 Comments
Another guess for where “they” got his credentials: One of the many sites that offers to scan your GMail contacts list and invite your friends. Only a matter of time until phishers start using that anti-pattern.
Various malware strains have been stealing passwords for some time now, some even leaking every POST request to their masters. The bad guys’ problem is that, this being the web, they need somebody to write code to process essentially free-form data for the different web services.
“It’s just the malware that’s sophisticated, at this stage.”
So I wonder if there’s an off the shelf app doing all the heavy lifting and being operated by semi-literate spammers..
Yes, the dutch one is same case:
Spam being sent from their hotmail account. They changed their password to one that hotmail says is very strong. Anti-Virus products didn’t find anything but anti-spyware tools found a bunch of stuff. The tools were unable to ‘repair’ 4 of the spyware infestations found (see original comment for list).
None of that helped, cause within days (at most) their hotmail spam-sending problem apparently returned.
Think this is another example- Yahoo mail. http://www.boards.ie/vbulletin/showthread.php?p=54711833#post54711833
Just noticed this on planet gnome: http://blogs.gnome.org/sudaltsov/2007/12/21/apologies/
Justin were you in Sergey’s gmail address book? Here he speculates how the attack happened: http://blogs.gnome.org/sudaltsov/2007/12/23/google-wtf/
Padraig — no, this wasn’t Sergey I’m talking about.
Bit of a mini-epidemic going on, from the sounds of things! scary stuff.
If it was only GMail, I’d surmise it might be something to do with the cross-site referrer forgery hole which was actively being exploited to steal accounts recently; but Hotmail and Y! Mail as well makes that unlikely to be it alone.
@Donncha — yes, typically in most cases spamware and malware command+control is smart software being run by not-so-smart people ;) I’d say that’s the case here.
Are there any reports of a hotmail account being used as a ‘spambot’ to spam out to email addresses NOT in the contact list? i.e. generated emails addresses?
Alice: I haven’t yet heard of that happening.
This thread on the GMail-ABCs forum is full of people who this is happening to.
One notes: ‘The spam message referred to a Chinese web site selling electronics – Electron Store at http://www.comobiletvupdate.com‘. a new site to add to the list….
Sergey’s case seems to have been the same company (or a related one):
‘My spam had first lines:
We are a wholesaler which deal with electronic products, such as: Mobile,TV,PC,DV,DC,games,MP3 Even motorcycles and musical instruments. Delivering our items by EMS to our customers around the world, The link pointed to the site www dot ems dot com dot cn’
Hi
I got the Beijing spam today, adorned with an eBay logo, oddly enough.
I think it happened because, for the first time on Sunday, I set Hotmail to open the mailbox automatically. With luck, resetting the password and not setting the account so it askes for my passowrd every time will fix this, unless they have downloaded all my contacts (unlikely, but not impossible). I have had dozens of bouncebacks, so many people’s spamcatchers are efficient and up to date. It’s not as bad as getting physically burgled, but it is annoying nonetheless, and the contacts who received the spam will think I am a bit of a fool, or worse, but hey – nobody died…
My friend just got her hotmail account compromised and all her contacts were sent a spam from her. It was a generic request to visit a European consumer electronics shop. The things that narrows her case down are these: She doesn’t use pop mail at all. She only uses web based hotmail. She works on only newer macs. That kind of (but not completely) rules out a virus. Probably not a compromised browser. I’m wondering if a script ran a brute force attack on her password. They would have to know her login/email address from the start though. Judging from her password a brute force would take a few days. That seems like a lot of resources to dedicate to one crack and resulting in only one round of contact spamming.
This has just happened to my Grandma…but on a PowerPC Mac Mini. Is there a way to fix this short of starting a new account? I really hope so, she’s 80 and easily confused. She uses Eudora I think, and if Mike’s friend is running an Intel Mac then it probably is web based.
@ice_cold_irony – I think she can keep the existing account. Just change the password to something much harder to guess, and check all the settings (especially mail forwarding, password reminders, etc.) to ensure they’re not leaking info or set up to be a back door in future. I think you’ll have to help her there… ;)
I’ve had the same issue just begin yesterday. All computers have been scanned for viruses/spyware/malware, passwords changed to strong, i deleted my contacts list (and forgot to export it first so its all gone now :*( ) But hope that sorts it out.
Only access Gmail through web, running on PCs, not many viruses or malware or spyware found. What i did find was a keylogger on one of my pcs. Hope this problem goes away soon. =/
Since i store passwords for other things (website, other emails, forum accounts, etc) on gmail as well, should i go and change them all? (there are SO many of them)
@Hellodan – I would definitely recommend changing those passwords. Sorry :(
The same thing just happened to me, emailing all of my work colleagues from my hotmail account. Spam began:
Dear friend: We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.
My hotmail password wasn’t easy and I was not set to login automatically..password still required every time. This is the SECOND time that this has happened….I have essentially just deleted all my Hotmail contacts and I will cease to use hotmail.
I read another theory that somehow they are exploiting inactive eBay accounts , or Facebook accounts.
Does anyone know?
Zoe
It’s seems that it has nothing to do with you email account being compromised, at least in my Grandma’s case. It doesn’t harvest any contact info it just puts your address as the Return Addy. For my Gram a couple of days after I posted this the Returns just dried up. Sputtered off over a few days. A girl I know had the same thing happen to her Hotmail account and again it just seemed to dry up. So it seems that someone has written a script to harvest email addresses from god knows where and when a spam filter rejects the message it comes back to you. How I explained it to my Gram, some wierdo is sending flyers out in the mail, but putting your address as the return, people say “this is junk” stick it back in the mail, and it goes back to your house. Not an elegant explanation but it works for non techies.
@ice_cold_irony: that’s entirely different — what you’re talking about is called “backscatter”.
http://spamlinks.net/prevent-secure-backscatter.htm
People, I’ve just discovered the problem for this all.
GMail has a “Vacation Mode”. Quoting: “sends an automated reply to incoming messages. If a contact sends you several messages, this automated reply will be sent at most once every 4 days”.
This spambot turns that “Vacation Mode” ON. Somehow they were able to get my password to turn that ON!
To fix this, change your Google Account password and then go to GMail Settings, General tab and turn Vacation Mode OFF. That’s all!
PS: Sorry my English, not my first language :)
This has happened to someone at work, vacation mode turned on and spam sent out as an auto-reply. Any info on how to prevent this from happenening again?
No, it’s not due to vacation mode and it’s not just a gmail issue because I just had it happen in my hotmail account without the vacation mode being touched.
The following email was sent to my entire contact list today. A few email addresses I don’t recognize, but maybe I just don’t remember emailing them. All in the “To:” field. Nothing in the sent box.
I don’t click on random links or share my password, or reset anything I didn’t initiate. I just did a spyware scan on my home machine yesterday and I use Ubuntu at work. I did use the import friends from Gmail thing on Facebook a few weeks ago, which requires entering your email and password, and presumably Facebook accessing your address book.
Changed my password, not sure what else to do.
================
Home | Products | Payment | Shipping | Contact us | News | Feedback | Register | Currency Converter
Dear friend:
We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.
Please visit our website: http://www.Store-168.com
Email :[email protected]
MSN : [email protected]
Looking forward to your contact and long cooperation with us! Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on. Welcome to visit our website!
This incident happened on my Hotmail account. My antivirus discovered a trojan from a specific application (http://www.download.com/3642-20_4-3010990.html?sb=3) that i hadn’t used for days. Apart from that, i suspect 3rd party tools that we use to access messenger from, like trillian, agile messenger and so on… Any thoughts on that?
I have received the email now,,,any body knows how to get rid of it?
My gmail just got hijacked, and I’m actually impressed since I’m very security conscious (always use https, don’t save passwords, use Firefox, etc.) – this is the first time anyone’s been able to hack any of my accounts.
Some lamer just sent this spam to my entire addressbook promoting qqvok.com
We are wholesale company which can offer you laptops, digital cameras, videos, GPS?cell phone, mp4, game console and many other electron products. We can offer you both highest quality products and best price. Also we could give you favorable discount if you order more. All of our products are brand new and original; if you need any help, please contact us.
MSN: [email protected] / [email protected]
E-mail: [email protected]
How embarrassing. The surprising thing is the IP address was 10.181.32.14 which according to the RFCs is reserved. Weird.
Be nice if the Chinese government tracked down the idiots responsible and put them up against the wall in their quaint, backwards, yet effective fashion…
Just had exactly the same problem with my hotmail account!
Something or Someone managed to turn hotmails vacation mode on, Sending out SPAM email sent to all contacts, Promoting
“Heya,how are you doing recently ? I would like to introduce you a very good company which i knew.Their website is http://www.epurchasenet.com .They can offer you all kinds of electronical products which you need like laptops ,gps ,TV LCD,cell phones,ps3,MP3/4,motorcycles etc……..Please take some time to have a check ,there must be somethings you ‘d like to purchase . Their contact email: [email protected]. MSN: [email protected] Hope you have a good mood in shopping from their company !”
like other comments above i regard myself as quite security conscious. Using Firefox 3 on Brand New Intel iMac. Cannot work out what it could be, Norton Antivirus comes up with negative scans and this mac is only a week old, not visited any warez websites or downloaded anything dodgy. This seems very strange. Need to find a solution.
Incase anyones interested Hotmail traced the source IP as 60.10.209.218 Which Whois traces to asia.
I have had my hotmail account hacked today in the same fashion. I can’t believe that I have trawled the internet and NO one can find a straight answer with evidence as to what this is. I have done virus scans with Avast which have found nothing. I have changed my hotmail password but am wondering is this going to happen again?
Can anyone shed any more light on this?
Thanks
Alan: It happened to me twice through my hotmail account: once on a PC and once on a Mac. It was embarrassing as it sent the email to my superiors at work, students, etc…
I am not extremely literate, but like you, I could not find a solution on the internet. Talking to the tekkies at my computer store, the two pieces of advice I got were: 1) Change your hotmail password to something really difficult to hack OR 2) Delete your hotmail account altogether. I couldn’t really do this entirely as it would have been a logisitical nightmare, so instead I opened a more secure mac email account, and deleted all the contacts from my hotmail after transferring them to the mac. No problems since.
Good luck.
I had the same spam-problem two times this week. A “wholesaler” spam message was sent from my hotmail-account to all my contacts in my hotmail contact list. Very embarrasing.
Now here something interesting…
For me it is obvious that opening this specific website, or any javascript or banner-add is the cause of the spam e-mail. But some weeks before, opening opensubitles.org was not a problem. Where is the root cause then?
To you all, avoiding identity and password theft is easy. Complex and different passwords should be used for all accounts. Also we should keep in practice changing our passwords every week or every fortnight. For these use a safe password manager. I use a safe and secure password manager like EXQUIPASS to remember those complex passwords for me. I prefer Exquipass since it is straight forward and secure. Link for this is: http://www.exquisysltd.com/productinfo.php?p=DA01EX With a tool like Exquipass, you can leave your password file everywhere, nobody will be able to get your passwords even if it is left on your computer. It strongly encrypts all your sensitive data. Carry your password files everywhere you want or leave it anywhere you want, your sensitive credential details will always be safe. Don’t let hackers gain over you!!!
got the same issue here. On the hotmail accout. It is an unguessable generated password. I am pretty security conscious. No idea how it was guessed.
Heya,how are you doing recently ? I would like to introduce you a very good company which i knew.Their website is .They can offer you all kinds of electronical products which you need like laptops ,gps ,TV LCD,cell phones,ps3,MP3/4,motorcycles etc……..Please take some time to have a check ,there must be somethings you ‘d like to purchase .
My guess, may be the provider is compromised. Hotmail, google or Yahoo employees/contractors leaked out a lot of accounts. Is that possible?
It’s happened to my friend hotmail account. The mail was sent to his all hotmail address book members. Any solutions to prevent this.
It happened to me today with Yahoo mail. Hundreds of mails sent with similar message. It took over both vacation message AND the signature page. I did not have vacation turned on. I have an antivirys and spyware running constantly (zonealarm) and it didn’t catch it (although there is a similar email quarantined under phishing, it still let it run- i think this came in this mornig. i changed the password and deleted all the files and it seems to be ok for the rest of the day but i have no confidence in it staying spam free. And i do not like entering my email in this site…
Hi–
I set Hotmail to open the mailbox automatically. With luck, resetting the password and not setting the account so it askes for my passowrd every time will fix this, unless they have downloaded all my contacts (unlikely, but not impossible). I have had dozens of bouncebacks, so many people’s spamcatchers are efficient and up to date.
cart Hotmail
I’ve just had the same thing happen.
“Dear friend: how are you doing recently ? I would like to introduce you a very good company which i knew.They can offer you all kinds of electronical products which you need, such as motorcycles, laptops, mobile phones, digial cameras, TV LCD, xbox, ps3, gps, MP3/4, etc. Please take some time to have a look at it,there must be something you’d like to purchase. the website: shop-2009.com Their Email: [email protected] Hope you have a good mood in shopping from their company!”
I’ve just changed my password and deleted almost all of my contacts so that nothing more gets sent to them. Any other or better ideas?
Here is their site reg. info. I can’t beleive this has been going on for two years from the same group.
Domain Name: GROUPSALE.NET Registrar: XIN NET TECHNOLOGY CORPORATION Whois Server: whois.paycenter.com.cn Referral URL: http://www.xinnet.com Name Server: NS.XINNET.CN Name Server: NS.XINNETDNS.COM Status: ok Updated Date: 29-jun-2009 Creation Date: 29-jun-2009 Expiration Date: 29-jun-2010
So does anyone have a fix for this? I noticed in my hotmail that when I click on new in Hotmail it opens up a message with the ‘spam’ message it sent out as the content.
D
Ok, it had added the message as a signature which I have now removed but no saying it won’t happen again.
Has anyone thought of suing??
HAS ANYONE THOUGHT OF SUING???
Maybe we should just flood ping that site they mentioned to death. If it dies, then there will be no point in spamming us with that site again.