Beware Rogue email - category Data Miner

LesD · Mar 03, 2009, 21:09:31

I have just sent this to IDNet Support. You fellow IDNetters may be interested in what it contains.

Hi Support,

I have received a rogue email from a couple of my contact's hotmail.com accounts that has somehow hi-jacked there Address Book/Contacts List and propagated itself to all the addresses in that list. I thought I had deleted all of the copies I have received but I have just found a rarely used Webmail account that has it in the Spam folder.
Both of the emails to my IDNet email addresses were trapped in the Junk Folder of the WebMail client and did not get through to my Windows Live Mail (WLM) client on the PC and I deleted them in the WebMail client. One to a Tiscali account did get to my WLM but I deleted it with no ill effects that I am aware of.

The body of the message reads:

"New experience of shopping!
i would like to introduce a good company who trades mainly in electornic products.
Now the company is under sales promotion,all the products are sold nearly at its cost.
They provide the best service to customers,they provide you with original products of
good quality,and what is more,the price is a surprising happiness to you!
It is realy a good chance for shopping.just grasp the opportunity,Now or never!
The web address www . sxdswz . com "

I believe that if you are foolish enough to click on the web address (which is a Link in the actual email) that you will get infected by this thing and maybe get you Contacts information hi-jacked too.

I have decided to refer this to my AV provider, PREVX to see what they make of it.
My PREVX EDGE Status is Secure so I don't think I have a problem but one of the Senders, this thing has masqueraded as, uses AVAST and having had the matter referred to them, AVAST have created an update as a result and defined the thing in the category Data Miner.

My advice to people I correspond with is that if you get one of these emails delete it preferably without opening it and under no circumstances open the link it contains.

Are IDNet aware of this particular rogue email and have any information that would be helpful in avoiding its consequences?

David · Mar 03, 2009, 21:27:58

Thanks Les will be on my guard

Simon · Mar 03, 2009, 21:31:36

Thanks Les, forewarned is forearmed.

Lance · Mar 03, 2009, 22:31:43

Hi Les. I think the problem is that there are so many of these types of emails that support may not be aware of this particular one. I would imagine that they issue generic advice such as if you don't know the sender and it looks a bit dodgy don't take the risk of opening it and clicking any links!

LesD · Mar 04, 2009, 08:40:56

Quote from: Lance on Mar 03, 2009, 22:31:43
if you don't know the sender and it looks a bit dodgy don't take the risk of opening it and clicking any links!

That's just it with this one Lance you do know the sender because this one is masquerading as the sender whose Contacts List your email address has been found in. I know to poor English is a give away but in the past I have advised my 92 year old Laptop using Uncle, to only open emails from people he knows/recognises so he could easily fall foul to the likes of this. I rang him last evening to warn him about this particular email.

I suspect you are right about IDNet Support but the more folks who know about this one the better from my point of view. I have heard this morning that the email may not in fact be the carrier but that there is something hotmail account users are picking up when they download their emails in general from the hotmail servers. I have not had this information first hand but if it is true this problem could be set to mushroom.

If I can firm up on this I will post again.

Rik · Mar 04, 2009, 08:42:33

Thanks, Les.

Sebby · Mar 04, 2009, 14:21:29

Thanks for the heads up.

BrianM · Mar 04, 2009, 15:45:48

Thanks for that Les.

I received an e mail earlier this week with the 'New experience of shopping' headline and a couple last week with similar headings and i get very little 'spam' mail, but the senders were people i didn't recognise so just deleted 'em.

LesD · Mar 04, 2009, 21:29:50

Quote from: LesD on Mar 04, 2009, 08:40:56
If I can firm up on this I will post again.

This is the reply I received from PREVX:

Hi,

Thank you for the email. We have visited the website, it appears to be a Chinese company selling electrically equipment. It appears to be spam. I do not believe at present this is the item causing the hijack - it is just a message sent to the mined email addresses.

Regards,

Prevx Support

I have learnt today that the hotmail account holder that I received this rogue email from the first time, found the bug that was sending it with the process scan that AVAST can do and then used an automated, "quarantine" method to send it to AVAST.

The reply from Avast told him the process/bug was a data miner and it was downloaded from the e-mail server at the time he logged on and downloaded his legitimate e-mails.

It seems that for the time being beware hotmail servers, as the two senders this SPAM email has masqueraded as, use hotmail.com accounts!

There we go, you know as much about this matter now as I do.

Simon · Mar 04, 2009, 21:38:29

Thanks for the update, Les.

LesD · Mar 07, 2009, 18:39:18

I have received yet another SPAM email today from yet another hotmail.com email account holder that I know!

This time the Company who's goods were for sale was easepurchase.com so I Googled for "easepurchase.com +SPAM" and found exchanges about it on a German forum just before Christmas. My German is nil but Google offered to Translate it so I accepted and it was gmail that was hosting the bug this time but the technique was the same, mine the Contacts List from the victim's account and send the email on to everyone found in that list! Naughty isn't it! I suppose as long as it is only the Contacts List and not User Names and Password it's a nuisance but not dangerous. I guess it's the not knowing how devious it is that's the worry for those victims that are infected with the data miner bug.

Rik · Mar 07, 2009, 18:43:18

All these things start from someone not looking after their machine in the first place, Les. It makes the world trickier for those of us who do.

Sebby · Mar 08, 2009, 00:22:31

Quote from: Rik on Mar 07, 2009, 18:43:18
All these things start from someone not looking after their machine in the first place, Les.

Or, put another way, from someone running Windows.

Rik · Mar 08, 2009, 11:04:03

Like you still are, Seb?

Sebby · Mar 08, 2009, 16:32:03

Indeed, and I'm ashamed of it.

Rik · Mar 08, 2009, 16:48:21

To the stocks, to the stocks.

Niall · Mar 08, 2009, 18:19:38

This email is being sent via hijacked messenger accounts. My sisters account was hacked last week, but we're not sure how. If you look on windows help forums you'll see a lot of people have had their accounts hijacked. I had to send everyone an email warning them not to click on the link just incase, update passwords and gave them links to AV, anti Spyware, firewalls etc.

LesD · Mar 08, 2009, 20:54:21

Quote from: Niall on Mar 08, 2009, 18:19:38
I had to send everyone an email warning them not to click on the link just incase,

Good advice Niall but my AV provider PREVX did open the link when I referred the matter to them.
Their reply and what they found is here at Reply No 8 in this thread.
That said I am now aware that there is more than one form of the emails that are being SPAMmed by this hijacking technique so what goes for one may not go for the others.

LesD · Mar 12, 2009, 20:10:55

I have just been offered updates from MS (I expect many of you have too) one of which was:

QuoteUpdate for Windows Mail Junk E-mail Filter [March 2009] (KB905866)

Installation date: ‎12/‎03/‎2009 19:50

Installation status: Successful

Update type: Recommended

Install this update for Windows Mail to revise the definition files that are used to detect e-mail messages that should be considered junk e-mail or that may contain phishing content. After you install this item, you may have to restart your computer. This update is provided to you and licensed under the Windows Vista License Terms.

I have highlighted the word in red that caught my eye re. Data Miners et al!

I use Windows Live Mail so I hope it works for it too.

Rik · Mar 12, 2009, 23:18:07

Doesn't seem to stop them for me, Les.

LesD · Mar 13, 2009, 19:41:39

Quote from: Rik on Mar 12, 2009, 23:18:07
Doesn't seem to stop them for me, Les.

I did wonder if it was Windows Mail specific, since it harps on about the "Vista License Terms", hence my mutterings about whether it would be any good with Windows Live Mail (WLM).

The Junk Mail box in my IDNet Webmail caught another one today, sent from a "stolen" hotmail account holders Contacts List. At least I can delete them there rather than having them download into WLM.

Niall · Mar 14, 2009, 09:14:57

It wasn't Windows live specific as my sister doesn't use it at home or at the Uni where she works, and her account was compromised.

LesD · Mar 14, 2009, 19:27:22

I was referring to the M update Niall, not ones vulnerability to attack!

Niall · May 10, 2009, 17:01:14

This email has reared it's head again. This time on my mother's account. She hasn't even signed into her account for about a month as the motherboard on the PC had issues!

One thing that's changed now is that it's also setting you as "on holiday" so it's sending auto replies to everyone, advertising what ever website it does (I've never clicked it to check).

You'd think that Microsoft would sort this as it's clearly a fault at their end. There are no viruses, spyware or ANYTHING on this network, and the passwords I use on this network, and on my mothers email account are quite complex too. In an ironic twist, I noticed that my password was as insecure as you can get, but I'm the only person in my family that hadn't been hacked

Rik · May 10, 2009, 17:03:17

It probably fooled the hacker, Niall.