Email phishes for Windows Live IDs and passwords
The flu pretty much wiped out most of last week, which is just a blur to me. This morning, I started catching up on email and found a real frakker in my Windows Live Hotmail inbox. Someone wants to steal my Windows Live ID and password -- and probably yours, too. The message is dated Feb. 22, 2010.
The email caught my attention for several reasons: 1) Windows Live Hotmail didn't flag the message as junk or suspicious; 2) The apparent originating address -- "[email protected]crosoft.windowslive.com" -- seems legit enough; 3) Sender is "Windows Live Team"; 4) The email effectively uses threats and cajoling.
I know that phishing emails are common enough for me not to single this one out. But, hey, I'm catch-up blogging and concerned someone else will get suckered to cough up their credentials. The email might have slipped through Windows Live Hotmail security checks because there cleverly are no links. It's an old school phishing attack. Instead of sending the user to a Website to enter in credentials -- surely something Microsoft would catch -- the information is given via reply email.
By the way, you don't want to lose your Windows Live ID. Have you ever tried to cancel one? It's not desperately difficult for one simply attached to Hotmail. But once Microsoft has your credit card on file and attached to several paid services, the process gets tough. Last time I tried to cancel a Windows Live ID, three different Microsoft reps insisted I independently cancel Xbox Live and Zune subscription services first because a credit card number was attached to them. Imagine criminals controlling your ID and perhaps purchasing "points" at your expense -- among other nefarious activities -- all while you struggle to cancel or suspend the account. If faced with that situation, I would report a terms of service violation, which might get faster response.
Having been sick with the flu, I laughed at the phishing email's "We are having congestions due to the anonymous registration of Hotmail/Live accounts" as justification for demanding ID and password. Full text of the email:
Are you protected?
Dear Account User,
This Email is from Hotmail/Live Customer Care and we are sending it to every Email User Accounts Owner for safety. We are having congestions due to the anonymous registration of Hotmail/Live accounts so we are shutting down some Hotmail/Live accounts and your account was among those to be deleted.
We also noticed a violation use of your account and if you think you have not violated the Terms and Condition of Hotmail/Live, please verify below with information requested
You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 48 hours for security reasons.
- Username: ...............................
- Password: ................................
- Date of Birth: ............................
- Country Or Territory: .................
After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconveniences.
Warning: Account owner that refuses to update his/her account after two weeks of receiving this warning will lose his or her account permanently.
The Windows Live Hotmail/Live Team.
Just a reminder: Microsoft will never ask for your password in an email, nor would just about any other responsible service. Passwords should never be sent by email. I would have to check with Microsoft about whether information sent via Windows Live Hotmail is in the clear -- another reason not to send any confidential information via email. Windows Live log-in is https but my Hotmail page link is http, suggesting no encrypted connection. By comparison, Gmail is now https, a change Google made after the recent Chinese hacks.
I have to ask: Anyone else out there get this e-mail or something like it?