Hacker sending email from hotmail, changing password doesn't stop it

passwords hotmail

7,003

Solution 1

There are several possibilities:

One of your colleague's computers is infected with some sort of keylogger.
One of your colleague's computers is infected with a password sniffer.
One of your colleague's computers is a zombie (part of a botnet) and sends the mails directly (possibly using the hotmail cookie).

Since only the hotmail account seems to be compromised, I'd rule out 1 (credit cards are much more interesting).

MSN Messenger and Internet Explorer are both vulnerable to password sniffing, so if your colleague stores his passwords, 2 is also an option.

Option 3 is different from the other two (and easier to detect), since it implies that the emails are actually sent from one of your colleague's computers.

If you look at the time the emails have been sent, you should be able to figure out which computers where turned on at the time.
Also, each email sent by hotmail contains a X-Originating-IP header that will help identify the computer it was sent from. Just ask one of the affected contacts for this information.

In any case, the fix is the same:

Identify the infected computer.
Remove the malware (virus scanner, browsing registry keys in safe mode and formatting the hard disk are your basic options).
Change the hotmail password one last time.

Solution 2

It all sound plausible, but I do not think this is what happens.

I think a hacker deliberately targets your EMail address at Hotmail by intercepting an internal message and then pinches your password. I do not how they do it. But the remedy should be to change your password.

At least I hoped this works because I was hacked and spam sent out on 20 May 2012. The hack may have occurred a couple of weeks earlier.

At first Hotmail blocked my account because somebody was attempting to send out spam. I changed my password and then the account was compromised. This all happened in May after the bug was meant to have been fixed.

In trepidation in case it occurs again. My password for Hotmail was different from other passwords, so it was not obtained elsewhere. No malware or viruses were found on my computer.

7,003

Gootik

Updated on September 18, 2022

Comments

Gootik almost 2 years

A colleague of mine seems to have had their hotmail account hacked - lots of spam is being sent from their account to their contacts, and the spams show up in their Sent folder so they're definitely being sent from that account.

Curiously, though, the hacker has not changed the hotmail password (to lock the original owner out) and also even though the owner has changed their hotmail password several times, the spam emails continue to be sent.

Does this mean that one of the owners computers has been compromised (so that the hackers get access to the new password after each password change), or is there some hotmail hack that can bypass the password check altogether?

So basically, how can my colleague fix their hotmail?
- Admin over 12 years
  
  the computer being compromised is a possible reason it might be a rootkit or a email client vulnerability on his PC or as simple as a keylogger.
- Admin over 12 years
  
  I've had several contacts whose Hotmail account appears to have been compromised in this way. (It's happened again today!) I've not experienced this with other webmail services.
- Admin about 12 years
  
  Somewhat off-topic, but worth mentioning in this thread: Forward spam to [email protected] to have it investigated for possible law enforcement actions. (Be sure to include the "raw" format mail, with all the headers.) Also, most major financial institutions and the like have spam/spoof investigators. Eg, American Express has [email protected].
Axeman over 12 years

Forging the headers does not leave messages in the account "sent mail" folder.
Gootik over 12 years

As Axeman said, I don't think its joe-jobbing because the sent spam shows up in his sent folder.
osodyj over 12 years

Very complete explanation. I would point out that 3 is much more likely than 2. Also, this is might be a good time to make sure your browser and or e-mail client are relatively secure. Firefox (with noscript) and Chrome are more secure than IE on the browser side.
Daniel R Hicks about 12 years

Yeah, I'd bet on 3. Probably a botnet has figured out how to send Hotmail email, which is why @w3d reports several similar Hotmail scenarios.
Dennis about 12 years

@DanH: I'd usually agree, but I've been receiving quite a few scam mails lately that were generated using 2, and only from Hotmail accounts. My bet is on sniffing the password from Messenger.
Daniel R Hicks about 12 years

@Dennis -- Either way, the computer's infected. That's the main take-away.
Daniel R Hicks about 12 years

@Dennis -- BTW, how can you tell whether it was 2 or 3 from the receiving end?
Dennis about 12 years

@DanH: By the X-Originating-IP header, which revealed residential IP addresses from Asia. It also makes it more difficult to spot the malware, since you have to identify first which computer is infected.