Archived Blog

Microsoft Live Hotmail Under Attack by Streamlined Anti-CAPTCHA and Mass-mailing Operations

04.10.2008 - 10:54 AM

Websense Security Labs ThreatSeeker™ technology has discovered that spammers in their recent tactics have drawn their attention towards traditional and infamous Hotmail, aka Live Hotmail services after the streamlined Live Mail Anti-CAPTCHA operations. Spammers have managed to create automated bots that are capable of not only signing up and creating random Hotmail accounts, but also use these accounts for spamming purposes from a proper Live Hotmail service. Websense predictions about this sophisticated spammer strategy at the time of Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations, and its outcomes have been factual with this attack.

Windows Live Hotmail (previously MSN Hotmail and Hotmail) is a free webmail service of the Windows Live brand provided by Microsoft. It originates from Hotmail. It was one of the first free webmail services. The current version was officially announced on November 1, 2005 as an update to Microsoft's existing MSN Hotmail service. It features 5 GB of storage, and integration with Windows Live Messenger, Spaces, Calendar and Contacts. It has over 250 million users worldwide and is available in 35 different languages.

Websense believes that there are four main advantages to spammers from this approach. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. Third, the integration of Hotmail with wide range of Windows Live services. And fourth, it may be hard to keep track of them as there are millions of users worldwide using the service.

Let’s see the entire automated process in two stages.

Stage 1: Signing up and creating accounts successfully.

Part 1: Observe the bot hooking itself on to Internet Explorer browser on victims’ machine.

Part 2: Observe the set of pre-determined account names injected on to victims’ machine which bot attempts to sign-up over victims’ machine.

Part 3: The bot uses Internet Explorer browser in the background on the victims’ machine for attempting Hotmail account sign-up process.

Part 4: Observe the bot visiting Microsoft Hotmail account sign-up page, trying to grab CAPTCHA, and sending it to CAPTCHA breaking host for account creation.

Part 5: Try-break, try-break, try-break.

Part 6: Observe CAPTCHA images being collected as hidden files from victim’s machine during different account sign-up attempts.

Part 7: Unlike, Live Mail CAPTCHA break process, in this attack, the CAPTCHA breaking host communication with the victims’ machine is scrambled. It is observed that 8 characters in the CAPTCHA code are returned instantly during the sign-up, after the CAPTCHA image is sent to the breaking host. The bot infected or victims’ machine descrambles it to signup the account successfully.

Part 8: Observe that account is being signed up and created successfully.

Part 9: The created account credentials are returned back to CAPTCHA breaking host.

The entire process is automated and carried out in iterative manner until all the accounts are successfully signed up in the list injected (initially) on to victims’ machine (refer to Stage 1, Figure 1.2).

Stage 2: Spamming using created accounts from a proper Hotmail Server

Once all the accounts in the list (refer to Stage 1, Figure 1.2) are signed up by the bot, they are then picked randomly and used for spamming purposes.

Part 1: Observe the login process in action.

Part 2: Login process in further progress.

Part 3: Proper login in progress over SSL page.

Part 4: Observe the bot attempted a successful login on to a proper Live Hotmail Server page.

Part 5: Observe the bot attempting to initiate the edit process or composing a message for spamming.

Part 6: Spam message build in progress by the bot.

Part 7: Bot successfully filling in the "from email address list", “to email address“ lists , email subject, and the body to be included in the message for spamming purposes, there by competing its task.

 End of message! Spam is being sent to targeted accounts.

Part 8: Finally the account is logged out to continue it similar operation with next email account.

Part 9:The entire process in action that is carried out in iterative manner to perform mass-mailing from different accounts created by the bot.

 Spammers finally have success advertising their product.

Observations:

Stage 1: One in every 8 to 10 attempts to signup a hotmail account are successful. Hence success rate approximately ranges between 10 to 15%.

Stage 2: Spam campagins from one Hotmail account is sent to multiple accounts in CC and BCC list at a time. The same Hotmail account (or “from account/ address”) is not repeatedly used for sending spam campaigns continuously. They are changed in timely fashion by the bot. The same is the case with targeted accounts (or “to account(s)/ addresses) for spamming.


Additional Information:

It is observed that unlike Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations in the past, the current attack is aggressive and instantaneous in terms of CAPTCHA breaking host turn-around time.

In the current attack, the response time of CAPTCHA breaking host after grabbing a CAPTCHA image from a victims’ machine, analyzing it, and responding back to victims’ machine with corresponding CAPTCHA code is relatively lower when compared to previous attacks.

Note 1: It is observed that the total response time for CAPTCHA breaking on the average is only about 6 seconds*.

Note 2: The timing on the request/response in this current attack clearly indicates the possibility of an automated system at the spammers’ end performing the Anti-CAPTCHA operation.


Websense believes that these accounts could be used by the spammers at any time for a variety of social-engineering attacks in future. A wide range of attacks (both manual and automated) would be possible using the same account credentials on other significant Live services integrated with Live Hotmail services offered by Microsoft Corporation, such as Live Messenger (instant messaging), Live Spaces (online storage), etc.

Note: For more information on Hotmail aka Live Hotmail and Live services, see the Hotmail, Live Hotmail and Live Mail entries on Wikipedia.

Threat Analyst: Sumeet Prasad

Bookmark This Post: