Websense Security Labs ThreatSeeker™ technology has discovered that Windows Live Mail accounts have been targeted in recent spammer tactics. In these recent attacks, spammers have managed to create bots that are capable of signing up and creating random Live Mail accounts that could be used for a wide range of subsequent attacks.

Windows Live Mail is a part of the Microsoft Windows Live portfolio of services. It is a free webmail service by Microsoft. It was first announced on November 1, 2005 as an update to the Microsoft MSN Hotmail service. Its worldwide release was on May 7, 2007, and roll-out to all existing users was completed in October 2007.

Websense believes that there are three main advantages to this approach for the spammers. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. And third, it may be hard to keep track of them as there are millions of users worldwide using the service.

Let’s see how this process is automated.

First, the bot is observed to request the Live Mail registration page and it begins filling in the necessary form fields (as any ordinary user would be required to) with random data. When it comes to the CAPTCHA verification test, the bot sends the CAPTCHA image to its CAPTCHA breaking service for the text in the image.

Screenshot showing the image sent to the bot’s CAPTCHA breaking service for a break request





Next, we observe the bot receiving a response from the server with the text in the CAPTCHA image.

Screenshot showing the bot receiving the answer of “89YTSJ9W”, which is the last piece to complete the registration for the Windows Live Mail service



And of course, the spammers have now streamlined the process of mass-registering free email accounts for nefarious purposes.

Screenshot showing the bot repeating this process over and over. Wash, rinse, and repeat.



We note that on average, 1 in every 3 CAPTCHA breaking requests succeeds—setting the bot’s success rate at around 30-35%.

Screenshot of accounts created for spamming



Screenshot of the emails sent by these fake Windows Live Mail accounts



Screenshot of sites where these emails send users



The malicious executables have MD5 fingerprints of ed763fe783cbf45aa8a652964cfb180e and a6eb7adab36c253a13c16fa5c52b27bd.

Websense believes that these accounts could be used by the spammers at any time for a variety of social-engineering attacks in future. A wide range of attacks would be possible using the same account credentials in other significant and extended Live services offered by Microsoft Corporation, such as Live Messenger (instant messaging), Live Spaces (online storage), etc.