If your friends and contacts have received an email or IM message from your Hotmail account with wording along the lines of I would like to introduce a good company who trades mainly in electronic products… etc – it is highly likely that your Hotmail account has been compromised. The message can also affect Gmail and Yahoo email systems.


In most cases when a spam email is sent in your name to someone else, the spammer doesn’t need access to your account. All they need to do is spoof your email address – i.e. make it look like it was sent from you. That’s very simple to do, and is very common.


However, the latest spate of spam from Hotmail accounts is different in that the attackers actually hacks into your Hotmail account and then do some or all of the following things:


  • They send a spam email to all your contacts.
  • They may send a spam IM message to all your Messenger contacts
  • They may delete all your Hotmail contacts
  • They may set your auto-response (the one you set when you go away) to send this spam message
  • They may set your email signature to include the spam message
  • They may change your password


You know that they have hacked into the account because you can see clearly that they have sent an email from it to all your contacts. They would not be able to do this if they did not have access to the account.


I don’t have a definitive answer, but I do have a theory which, based on the evidence, looks likely. If your password is a common name or a word that appears in a dictionary, then your account is vulnerable, even if it has a year of birth or number attached to it.


This is how the hackers do it:


  • They employ an automated script that is fed to your Hotmail address and then goes to work.
  • It feeds the entire dictionary and common passwords and names into Hotmail one by one, trying to log in.
  • After several attempts Hotmail “locks” the account and present a CAPTHCA (i.e. a string of wonky letters and numbers that are supposed to stop scripts from doing exactly that, because only a human can read these letters, supposedly).
  • Unfortunately the CAPTCHA method no longer stops scripts, because hackers have found ways around them. One of those ways works by using sophisticated character recognition software that can read the wonky letters. Another is to feed the letters to “CAPTHCA farms” – the letters are fed to human users, employed by the hackers to read and enter CAPTCHAS, and they are often paid by the number of CAPTCHAs they enter (for example 1 cent per entry). This achieves greater returns for the hackers and means they can attack many accounts, bypassing email security systems.
  • Sometimes the scripts do their work over days, and sometimes weeks, to escape being caught by Hotmail’s attack detection systems.


There are of course other ways for hackers to achieve this kind of attack, such as spyware on your computer, or you being deceived by a rogue website. It is not just limited to Hotmail though, Googlemail (Gmail) and Yahoo are open to this kind of attack.


What you can do


To try to avoid your own web-based email getting hacked these are the two most important things you can do:


  1. Pick a strong password. Try to make your password unique, use symbols, punctuation or substitute numbers for letters (ie E = 3, I = 1 etc). Did you know 20% of passwords are so poor even I could guess them!! eg 123, “password”, pet’s name, Sons name, daughters name, favorite football team, your city, date of birth.
  2. Change your password every few months.
  3. Run spyware and virus-checker software regularly.