Network News

X My Profile
View More Activity

Spam From Hijacked Webmail Accounts

A family member called last night, upset and embarrassed that his account was used to blast out spam to all of his contacts. A quick examination of the message headers indicated the spam was indeed sent through his account, and that someone had hijacked his Webmail account password.

Upon closer inspection, I noticed that whoever had sent the message had also done the following: deleted the last 30 days worth of messages in the "Sent" folder; added the same message they had spammed out to his e-mail signature, so that the message would be tacked onto each subsequent e-mail he sent; and the perpetrators even signed his first name at the bottom of the message.

An Internet search for the domain advertised in the spam -- -- shows that spammers have advertised this site by hijacking accounts at other free Web mail providers as well, including Hotmail and Gmail.

The message read:

Dear Friend,

New shopping new life!

How are u doing these days?Yesterday I found a web of a large trading company from china,which is an agent of all the well-known digital product factories,and facing to both wholesalers,retailsalers,and personal customer all over the world. They export all kinds of digital products and offer most competitive and reasonable price and high quality goods for our clients,so i think we you make a big profit if we do business with them.And they promise they will provide the best after-sales-service.In my opinion we can make a trial order to test that.

Look forward to your early reply!
[name omitted]

My relative's anti-virus program gave his PC a clean bill of health, but we're still in the process of scanning it with other tools. It's not clear how the attackers are hijacking these accounts, but there are a variety of ways passwords can be stolen.

The most likely explanation is that the victims logged into their accounts through a system that was compromised by some kind of data-stealing malicious software designed to swipe user names and passwords. In this particular instance, I'd rule out some kind of automated password cracking tool because my relative's password was fairly complex -- more than 10 characters, including numerals.

I've found dozens of Web sites advertised in these Webmail hijack scams. The domains themselves all appear to be for bargain-basement electronics and apparel stores based in China. All of the spammed sites I've reviewed so far were only recently registered and set up, suggesting that they may be nothing more than phantom stores designed to steal credit cards from unsuspecting buyers.

Anyone affected by this scam should immediately change their Webmail password, and check to make sure the same message hasn't been appended as a Webmail signature (usually, signatures are managed through the settings or options pages).

Finally, changing your password won't help much if the attackers still have malware on your system that can steal your new password, too. Assuming your system is equipped with up-to-date antivirus software, and that you've conducted a full system scan, you can get a second opinion by turning to one of my favorite diagnostic tools, Ultimate Boot CD.

This is basically a distribution of Linux that you can burn to a CD. Assuming your system is configured to boot from a CD (if not, you can try these suggestions), it will allow you to boot up into another operating system environment that lets you run a slew of diagnostic checks on the underlying hard drive and operating system, including virus scans from at least three different anti-malware vendors. It is generally safe to delete any suspect files found in these scans, but the scans themselves can take many hours to complete, depending on how many files you have on your system.

Update, 9:48 a.m.: A reader wrote in to remind me that there is a version of the Ultimate Boot CD -- appropriately named the Ultimate Boot CD for Windows - that boots into a virgin install of Windows, instead of a Linux operating system.

By Brian Krebs  |  April 29, 2009; 7:00 AM ET
Categories:  Fraud , Latest Warnings , Safety Tips  | Tags: gmail, hotmail, spam, webmail hijack, yahoo  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Equifax Outage Halts Credit Freezes, Fraud Alerts
Next: Facebook Among Top Phished Web Sites


Thanks for another informative article Brian. There are so many security threats these days - adding the personal touch like this is effective for the hackers, but VERY embarassing for the rest of us.

Can I add a suggestion? If this happens to you, what about immediately logging on to your webmail account from another computer that you know is not infected by malware and changing your password that way? Then you have to make sure that you clear up your own system before using it to log on with the new password.

If you have something that stops your antivirus updating or running, start your computer in safe mode with networking (keep hitting F8 as it restarts), download the updates and do a full system scan.

Posted by: datadefender | April 29, 2009 9:59 AM | Report abuse

Last week I was looking at laptops at the Tyson's Corner Apple store. I walked up to one MacBook to discover Safari running and logged in to someone's Yahoo mail account. I sent the person an email saying it wasn't very smart to leave a computer in a public place logged in to their webmail account. It would have been easy to delete all their email and/or change their password.

Posted by: phs123 | April 29, 2009 10:54 AM | Report abuse

What I've frequently seen related to this is that the victim has responded to an email from the "HelpDesk" and sent their username and password to a yahoo/gmail/hotmail account. Often the emails tell the user (in poor english) that there is a system upgrade, or that their mailbox is full, or that their account was compromised and they need to send in their username and password so their account can be transferred, fixed, etc.

Posted by: ZachJansen | April 29, 2009 11:15 AM | Report abuse

Thanks for bringing this to the public eye Brian.

I dealt with a similar case on the 13th of April, that message read:
"New Horizon!
i would like to introduce a good company who trades mainly in electornic products.
Now the company is under sales promotion,all the products are sold nearly at its cost.
They provide the best service to customers,they provide you with original products of
good quality,and what is more,the price is a surprising happiness to you!
It is realy a good chance for shopping.just grasp the opportunity,Now or never!
The web address: "

I flagged the target site on WOT and cleaned the PC, which was infected by a recent (@ 2 days old?) variant of the (Symantec) worm.

I reminded them of the service available at and reinstalled their A/V, checked/updated everything and installed Securia PSI and Belarc Advisor to double-check.

Unfortunately, I could not find the original source of the infection, perhaps the email carrying the attachment had been deleted.

Posted by: satrow | April 29, 2009 12:33 PM | Report abuse

I had the exact same thing happen with my Yahoo mail account while traveling in Europe last November. The only difference is that the subject of the message my acct was used to send out was "Good shopping good mood!"

Once I started seeing bounce messages and after determining the message was indeed sent from my acct, I sent mail to letting them know what happened and suggesting that they try to determine if the IP address used to access my account when the message was sent was used to access other accounts. It took numerous e-mail volleys to finally be able to explain the situation to them, after which they really seemed unconcerned. Ah well, with free services you really do get what you pay for.

Posted by: Matt_G | April 29, 2009 1:58 PM | Report abuse

On two occasions in the past month, I received a message on my Yahoo account that purported from Yahoo support. It asked for user ID, password, secret questions, and the answers to the secret questions (and had a form to fill out).

The information was supposedly to validate the information and keep Yahoo from closing the supposedly inactive account.

I don't think so. I reported the messages as spam, and then deleted them from my spam folder.

Could your friend have been the victim of a similar or identical phishing attack?

Bob Guenther

Posted by: rlguenther | April 29, 2009 3:46 PM | Report abuse

Bob, it's possible. I asked whether this person had fallen for a phishing attack, and the answer was no. But you never know.

Even if these account credentials aren't being stolen through malware, having the Ultimate Boot CD for Windows around is really handy, and running a second AV scan through your system now and again is probably a good thing.

Posted by: BTKrebs | April 29, 2009 4:08 PM | Report abuse

As quite correctly pointed out by ZachJensen (comment on 04/29/09) and as invented by Sir Newton-Every action has an equal and opposite reaction. ID and password theft in most of the cases are the result of deliberately or accidentally clicking on some of the infected sites.
Anti-virus software, secured internet connections etc will only do good for a while.
I believe most of the cybercrime and the overall outlook towards the subject needs a much needed change. Right now we are so overwhelmed with the sudden spurt in cybercrime, that it has caught us and the authorities, napping. A major percentage of our (personal and government) efforts are going into damage control, whereas the need of the hour is to strike the root cause of such crimes. One of the very basic and initial steps will be educating the people about internet. Now most of us will argue that we all are computer literate, but there are some guys out there who use simple techniques to get us scammmed or hack our computers.
My suggestion-apart from damage control we should make the people aware about responsible net habits.

Posted by: 419legalorgrishi | April 30, 2009 12:42 AM | Report abuse

Most of the persons I know who were affected by similar problems gave their login information to get "free emoticons" from yahoo, MSN, facebook on websites advertised in fishing emails...

Others have given their email login information to various sites that need to "retrieve your address book for your convenience", like e-greeting sites or social networking sites.

Of course, most of those people deny having ever given their credentials.

Fake wifi hotspots in airports and other places are also a major problem.

Posted by: Ririz | April 30, 2009 5:45 AM | Report abuse

This problem would never have happened if webmail companies adopted some fairly new technology like does.

Let's not go blaming people for using their email accounts, rather let's recognize that it is the account providers themselves that open up everyone to this sort of thing.

Does anyone think that this is going to get better anytime soon? Years have gone by and the only one that did something about it was Telesign and Strongwebmail.

As far as I am concerned, Yahoo, Google and MSN's hotmail needs to get on the secure bandwagon.

Posted by: readyfreddy | April 30, 2009 5:13 PM | Report abuse

You know all of these people gave out their name/address to some sort of scam. Emoticons, some special email "deal" they had, or some sort of scam they thought they could get by with.

People are bad about security, they suddenly get stupid when they use a computer, they use one password for everything. They give it out magically to anything or anyone who asks.

Nobody is magically breaking into email accounts, or compromising servers, or being all "leet".

And the dirty truth is that virus protection is worse that worthless because people think it's a magic solution and so they get careless.

People screw things up all the time and then blame it on a "virus". Viruses aren't the problem these days, rootkits are, and people gladly install them on their PC for the promise of seeing some celebrity naked, or for free music or something.

I used to have sympathy for them. I thought training was the problem. I thought Windows was the problem. But really, the problem is that people are mind numbingly stupid.

Posted by: Skeptic1 | April 30, 2009 9:41 PM | Report abuse

HEADS UP - and old keylogger is on the loose that SAV and Win MSRT does not catch!

"trojan.BHO" stole my credit card number 2 weeks ago from an XP SP3 fully patched-to-date, running enterprise SAV, virus defs updated nightly and I'm behind an enterprise firewall.

I had suspicions something was wrong so I ran SAV scans 3 different times and got "0 risks" every time. A malware product (a valid one) found it and cleaned it out.

I have a suspicion that, due to costs, Microsoft and maybe Symantec also don't include checks/defs for old viruses on newer OSes. The info I found on this trojan says it's been around for almost 10 years.

Posted by: lquarton | April 30, 2009 11:37 PM | Report abuse

It's also happening to Yahoo users. The big story is that hackers have penetrated Yahoo, Hotmail & Gmail SERVERS -- not that they are sitting on individual user desktops. The address books and emails are stored on SERVERS and not on individual desktops. This takes hacking to a new, more devious level.

Posted by: artemdi | May 4, 2009 5:38 PM | Report abuse

It's probably no coincidence that the emails from "helpdesk" requesting passwords arrived at the same time as the spams from those Asian electronics sellers. By not relying on a website to collect information, they bypass a lot of the antiphishing protections people rely on. And they're using free services like that don't provide an obvious way to report the phishing reply-to email (and don't accept Spamcop reports).

Knowing that criminals find access to individual email accounts valuable, the next step is to anticipate other strategies they may pursue. In this case it was a strong password, but many people choose quite easy ones. All a criminal needs to do is to choose a common password and keep changing the username they try to log in under. (They can use a list of addresses they already have for spamming to get usernames for various email services.) They won't get locked out of an account for too many tries, and they're likely to hit on quite a few accounts that use passwords like "password1" or "yahoo1."

Everyone needs to understand that these accounts are not trivial and need strong passwords. And maybe services like Yahoo and Hotmail could compare hashed passwords and provide feedback to users about how many other users have chosen the same password. A lot of people honestly think they're the first ones to choose "password" or "letmein," so if they got a warning that 1,253,325 other users have chosen the same passwords, they might consider using something more secure.

Posted by: AlphaCentauri | May 5, 2009 12:04 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company