Hotmail Vulnerability for Stealing E-Mail

Karl Dominguez, researcher at Trend Micro said on May 23, 2011 that cyber-criminals were actively exploiting a security flaw in Microsoft's popular e-mail service, Hotmail through electronic mails which carried malware. TheRegister published this on May 24, 2011.

Says Dominguez, the attacks are successful when a Hotmail subscriber merely clicks open the messages alternatively sees them within his preview window. Thereafter, if he follows the instructions inside the e-mails then his confidential correspondences get uploaded along with his address list onto attacker-controlled servers. This is possible even without the victim clicking on any web-link.

Furthermore, the scripts even let the forwarding of e-mails from the specifically attacked account so miscreants can view any inbound electronic mail for the Hotmail user later on. Meanwhile, these scripts link up with http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number}for pulling down yet one more malicious script.

Evidently, the above URL indicates the personalized nature of the attacks, with it carrying twin variables: username i.e. the Hotmail ID of the specifically aimed end-user, and one particular attacker-determined number.

That number apparently, identifies the malware to be run. Meanwhile, the second malicious script generated from the URL is detected as JS_AGENT.SMJ at the Trend Micro security company. The script kicks off an enquiry, which's dispatched onto the Hotmail control system. Consequently, each-and-every e-mail of the impacted end-user is sent to one specific ID. Nonetheless, the forwarding of the e-mails happens only during the script's execution that'll terminate immediately when the end-user closes his ongoing session.

Writes Dominguez, the attack exploits a script alternatively vulnerability in the CSS filtering system of Hotmail. However, Microsoft has already notified Hotmail for developing an appropriate patch, he adds which TheRegister published.

Interestingly, the malevolent electronic mails appear as though they've been especially written for separate recipients since they use different Hotmail IDs of different owners within the implanted malevolent script. The subsequent downloads too utilize particular Hotmail IDs as also one attacker-specified number, which if changed causes the payload to change too.

But, it isn't still known as to what number of Hotmail subscribers may've been impacted as also if Microsoft has sufficiently alerted end-users to their e-mail compromises.

Related article: Hotmail Account Holders Vulnerable to Latest E-mail Scam

» SPAMfighter News - 5/31/2011