I did it on a Linux machine, in case there was some risk of a Windows exploit. the ‘cancel request’ URL took me to a page that my browser said was account.live.com, BUT…
-although I’d chosen the cancel request, the page was asking me to continue and confirm the reset.
-I entered a fake email address and password - the error message it gave me was peculiar - saying that only email addresses starting with a number are valid.
So something is screwy - it seems a bit unlikely that a browser’s address and status bars can be forced to show a simple, genuine URL when something else is actually the case, but still, something is not quite right.
I reported the emails back through Hotmail as phishing attempts. I’ll probably change the account password myself (visiting the site directly) tomorrow.
Score another vote for phishing. A standard trick is to have a long url which starts with something which looks legitimate, but after a little while there’s an @ sign, and what follows is the real domain.
Not if he cut and pasted the plain text (not the same as right click > copy link).
You can also look at the headers and see if anything weird pops up there.
When I reset my password, the MSN link asked me to confirm as well. I still think it’s either somebody accidentally requesting a new password (I’ve done this before, where I stupidly was using my Yahoo screen name trying to log into a Hotmail account, and I requested a password change before realizing my mistake) or somebody trying to hack into your account. For example, if I have access to one of your email accounts, I could try resetting password on your Hotmail account, hoping that your alternate email address is the one whose email account I have access to.
Yes, actually. The hope is simply that the sucker will not spot the @ sign. Or the phisher can use the ASCII number (%xx) for the @ sign instead.
Another trick - now fixed, I hope - is to put special characters in the URL - %01 and %02 IIRC - which caused certain browsers to partially hide the URL when it’s displayed in the address bar.
There isn’t an @ sign in the URL - the bit I snipped in the OP consists of a number of very long alphanumeric parameters (basically looks like a long string of jibberish, studded with ‘&xy=’ and the like).
Maybe the screwy effects I noticed are just bad web design by MS.
Definitely. The really convincing phishing mails I have received are absolutely 100% identical to the ‘official’ emails sent out by institutions, with only the targets of the links changed to point to a server in Romania or similar, and broadcast to the internet at large.
If there are no links in the normal communications, they may modify a part of the body slightly - e.g. change text URLs to hyperlinks or use a ‘your statement is now ready, point your browser at texttexttext.com to view it’ letter as the basis for a ‘we are updating our security procedures, please go to linklinklink.com and confirm your details to maintain internet access to your account’.
Turning on the ‘status bar’ or whatever and doing a mouseover will usually reveal exactly where the link will really send you, but the best bet is always to go to the main homepage manually and then follow the logon links.
That’s why I think I must now conclude that this is a genuine email, arising from someone accidentally or (more likely) deliberately trying to gain access to my account by changing the password.
The URLs in the browser address and status bars were more or less just accountservices.msn.com - not long or complicated enough to be hiding anything.
There used to be browser exploits where a malicious page could turn off the status bar and put the browser in full-screen mode, replacing them with mockups of the status bar and the window toppings, but I think that hole has been sewn up now (not that it was ever a very convincing exploit anyway, because they had to mimic the look of a set of browser controls, but everybody’s browser looks different.
I guess I should have stressed “usually” a bit more. For certain (old/unpatched) browsers it’s probably possible to spoof that bit, and indeed the contents of the address bar too for that matter - never rely on anything as a definitive ‘tell’. But I think you’re right, someone has accidentally or maliciously tried to get into your account.
Are you prone to sleepwalking or do you have an alternate personality, evil or otherwise? Do you share your computer with anyone?
Eh, I have to disagree. I would say, be informed and savvy, don’t be paranoid and unwilling to learn by investigating what is a real threat and what is legit.
Exactly. And analyzing the real source of the email will offer you additional, useful information. If I got an email like that, I would assume somebody either accidentally requested my account password or somebody is purposely tinkering with my account trying to reset my Hotmail password. I would take different actions than just ignoring and moving on.
I would never use a link provided in an e-mail. I would log in to my account through the usual home page, and go to “my account” or some such to accomplish the same thing. Like when I need to see if I’m really trying to sell someone a 50" plasma and there’s a problem with my listing.
