We continue to get reports from users who have had their Hotmail accounts taken over by a particular Chinese 'fake-storefront' scammer. The compromised accounts are then used to send out email advertising the fake shopping sites set up by this scammer.

Initial reports of this problem came from Windows users. Since then, however, we've had reports from users of both MacOS and Linux that their Hotmail accounts have been compromised. This makes it very much less likely that the passwords are being stolen by some piece of malware, and more likely that some other mechanism is being used.

One Linux user whose account was compromised reported that a few months previously he had received multiple warnings from Hotmail telling him that there had been too many login failures on his account, and that he needed to reset his password. This might suggest that the scammers could be using a password grinder to try random or common passwords, but it seems unlikely that brute force attacks would successfully find any moderately secure password in a reasonable amount of time.

There's convincing evidence that the scammers are actually compromising Hotmail accounts (as opposed to simply forging headers): owners of compromised accounts receive non-delivery reports, the spams get sent to people in their Hotmail address book, and their Hotmail vacation message and signature is altered to contain the spam text. The fact that this issue affects not just Windows users, but also users of MacOS and Linux - which are much less likely to be running a password-stealing trojan - suggests that whatever method the scammers use to steal Hotmail passwords doesn't depend on installing a trojan on the user's machine.

Possible theories now include:

1. Brute force attacks aimed at guessing a user's password
2. Phishing attacks aimed at tricking users into revealing their password
3. Traffic sniffing on wired or wireless networks
4. DNS spoofing allowing the scammer to deploy a 'fake' Hotmail site
5. Exploiting re-used passwords: if the user uses the same password for Hotmail and for another, less secure site, the scammer may be able to exploit it
6. Occasional use of Hotmail from insecure (i.e. compromised) machines
7. A security issue at Hotmail itself

The fact that this attack so far only affects Hotmail may be revealing. If the scammers were using sniffing, spoofing or phishing, they should presumably be able to acquire and use passwords to other services, including Gmail and Yahoo! Mail. But we have not had any reports of similar problems from users of these systems. This suggests either an exploit tied to a specific feature of Hotmail, or that the attack somehow depends on certain software (such as a piece of malware) that is currently only adapted to stealing Hotmail passwords.

If you have had your password stolen by these scammers, please consider using our contact form to send us your answers to the following questions.

1. What operating system do you use?
2. What browser do you use?
3. What anti-virus/anti-spyware software do you run on the computers you use?
4. Do you ever connect to the Internet using wireless networks?
5. Do you ever access Hotmail from other computers (e.g. at work, at a friend's house, in a cybercafe)?
6. Is your Hotmail password strong or weak?
7. Have you ever had a 'too many login attempts' warning from Hotmail? (If so, how recently?)
8. Do you ever use the same password on other sites? (If so, which ones?)
9. Have you ever entered your Hotmail address and password on a site that wasn't Hotmail, such as a social networking site? (If so, which sites?)
10. Have you ever gone to Hotmail or a related site (such as live.com) by clicking on a link in an email that you received?
11. Did changing your Hotmail password cause the spam mails sent from your account to stop?
12. Is there anything else you can tell us?

Obviously, any answers we receive will be treated in strict confidence.