Their Hotmail account is getting hacked, and from then on is being used by scammers or malware authors to spread their malicious intent.
In almost all cases, you'll receive an email with (No Subject), and the only content is a link pointing to some website. But wait: it seems that all those websites have (probably an outdated version of) Wordpress installed.
When you click the link, you will be redirected to either a scam/phishing page or scareware/rogueware.
Either way, you'll first get the following message:
Message you receive when clicking on the link
So let's take a closer look at the 2 scenarios you get on your plate:
Scenario #1 - scam
Scam page
In scenario number one, you'll be presented with an awesome News page, where you can read several testimonials of how great working from home is.
It also has some fascinating news stories on how to make lots of money by simply being at your comfortable home. This includes reactions on the articles - of course this is all fake.
If you click on any of the links on this website, you'll be ultimately redirected to - hxxp://internetprofitpacket.com
Administrative Contact:
WhoisGuard
WhoisGuard Protected
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
UrlQuery Result:
Suspicious
http://urlquery.net/report.php?id=40849
URLvoid Result:
1/25 (4.00%)
http://www.urlvoid.com/scan/internetprofitpacket.com/
Ultimately you land on the following page:
Landing page where you'll need to pay
After paying a small price, you'll get lifetime access to the Internet Profit Package ! What honor !
Obviously, you'll get scammed and your credit card details might get stolen.
Scenario #2 - scareware
Likewise as in scenario #1, you'll get the nice message that you got here thanks to your friend.
Seems like you're infected ... right ?
You'll then be presented with a pop-up indicating critical process activity has been found and a scan will be launched... (I think we all know this one by now) :
Fake Explorer window indicating numerous infections
If you click on any button, a file will be downloaded with the name of setup.exe.
In this case, the file was downloaded from:
hxxp://fail-safetylow.info/bb61f9bcec711d56/29/setup.exe
This site and several other rogueware pages are hosted on the IP:
64.120.207.107
Several other rogueware sites are hosted on this IP
We'll now see some more details about the downloaded file:
setup.exe
Result: 5/40
MD5: 8b0c16a50c0bca1eb0b45bd411eb30e5
VirusTotal Report
ThreatExpert Report
Anubis Report
This file drops another executable:
Protector-hfpt.exe
Result: 5/42
MD5: f04cb906356f19a1dbf68c62f162c4e7
VirusTotal Report
Anubis Report
The payload is a rogueware called "Windows Antibreaking System" :
Windows Antibreaking System setup screen
Windows Antibreaking System main screen
Prevention
- Most important of all: use a strong password ! You can verify your current password, or create a new one to check its strength on the following website: http://www.passwordmeter.com
- Second important rule: don't use the same password for each and every website !
- Be wary when receiving such a mail, even if it's from someone you know.
- Use browser extentions to verify the integrity of an image or URL. Useful add-ons are for example WOT or NoScript.
- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.
- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:
- a) For Google Chrome: chrome.exe or chrome.exe *32
- b) For Mozilla Firefox: firefox.exe or firefox.exe *32
- c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32
Desinfection
If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:
BleepingComputer's Virus Removal
Also, if you know the sender personally, notify him/her that they've been hacked and they need to change their password. If you don't know the sender, immediately remove the email.
In Hotmail, you even have a useful option if you know the sender. Open the email, select Mark as and click on My friend's been hacked!
Help your friend by stating (s)he's been hacked
If you happen to have a Wordpress website, be sure to update it regularly as well as any Wordpress plugins you may have installed. This website will aid you in the matter: Hardening WordPress
Conclusion
Don't fall for either of these, in both cases you'll lose a lot of money !
Follow the above prevention tips to decrease the chance of your computer becoming infected.
