Today I got presented with a clever/nefarious fake login page at hotmail.
Early this morning I did a check of my webmail and found a message supposedly from support@mydomain.com with the subject heading “Registration renewal for your domains”. While I didn’t have any domains there, I didn’t think much of it until I clicked to open the message.
Immediately, out of the blue it appeared to log me out of hotmail and present me with a new hotmail login screen. The font looked a little odd, so I checked the URL in the browser (which showed me all was well and that I was on: http://…mail.live.com/ However, when I right clicked to get the properties for the page I found that the actual site I was on was:
http://…mail.live.com.kbs8.cn
(note: I don’t suggest going to the kbs8.cn site, no telling what’s there)
Anyway, I emailed hotmail security about it. I’m curious to see what they’ll tell me. This seems to be a pretty serious security bug though. Not sure how an email can take over the entire hotmail interface leaving the main URL intact but presenting with an arbitrary web page.
The only other explanation that I can imagine for this is if microsoft runs the kbs8.cn site itself. However, I’m not going there to find out. And if they do own it, it’s probably not a good choice of URL to frame in a login page. I’m glad I didn’t log back in again when I was mysteriously logged out. But with scams like these, it’s getting much harder than it used to be to know when you’re being phished or not.
I’ll report back with any news I receive from hotmail’s security staff in case they have advice on browser settings or how to avoid this security issue. UPDATE: response from Microsoft is that they’re looking into it and a report was made to their passport group about the issue. They have since followed up saying the phishing site will be taken down shortly.
Have you ever been taken in by a phishing scheme before? How did you know? What did you do?
Any experts have recommendations or best practices on how to avoid these risks?
No comments yet.
Comments RSS
| TrackBack URI
