MXLogic has posted a short article under the title Web Security Breaches Rock Hotmail, which hints at the existence of a previously undisclosed security issue with the popular webmail service. The article is short on useful details, but the ultimate source seems to be a Windows Live help document about account compromises.
The symptoms described in the document match those we've talked about in earlier posts, and Hotmail's advice for owners of compromised Hotmail accounts matches the recommendations we've made in the past. The help document adds:
Hotmail believes that this may be due to a virus on a computer that you have used to login to Hotmail at some point in the past.
That's certainly a possible explanation, although they don't sound entirely convinced themselves. The small number of responses that we had in answer to our questionnaire about security show that the problem affects users of non-Microsoft OS's (Linux, MacOS) and browsers (Opera, Firefox) as well as users using Microsoft products. It's always possible, however, that all those affected had used an infected Windows machine to quickly check their Hotmail at some point.
That leaves one other question unanswered, though. If the compromises are the result of a password-stealer virus running on a Windows machine, why do they seem to exclusively affect Hotmail accounts? As yet, we've seen nothing to suggest that the spammers are abusing Yahoo! or Gmail accounts. In theory, it should be equally easy for a keylogger to steal passwords to those services and for the spammers to exploit the passwords in the same way.
It's possible that the keylogger used is only capable of capturing Hotmail passwords, and the spammers don't have the skills to extend it. Or it's possible that they have developed automation software for 'driving' the stolen accounts and are unable to adapt it to remotely-controlling other webmail accounts and unwilling to spend the time to exploit those accounts manually. Neither of these explanations is entirely convincing, leaving open the possibility — as we've suggested before — that something else, something very specific to Hotmail, is at work.