While monitoring countless sites as part of our current Web threat strategy, we have stumbled upon a legitimate-looking prompt from MSN Live Messenger… or so it would appear (at first).
As shown from the screen captures below, this prompt bears a close resemblance to the actual prompt being displayed by the MSN Live Messenger instant messaging application (also known as Windows Live Messenger) whenever a friend from the user’s friends list logs in.
Figure 1. Screenshot of fake prompt seen in this attack.
Potential victims who unfortunately encounter the site (Borradito.com) via spam or spammed IM is first enticed by the Web site’s description, which promises the capability to view which of their friends have removed them from their friends list, provided they are logged in, of course—a pretty convincing trick to lure users to key in their user names and passwords.
As the Web site is accessed, a message prompt from MSN Live Messenger appears at the lower-right part of the screen, just below the system tray, where such prompts are known to appear:
Figure 2. Site that opens when users click on phishing mail.
Once users click on the prompt, they are diverted to a Flash-based window which also resembles an actual MSN group chat window:
Figure 3. Real-looking (and functioning) chat window loaded when users click on the prompt in Figure 1.
This routine is used to attract the users, as well as to build credibility. If the user goes back to the main site and enters their credentials, the site displays a list of users who have allegedly removed the affected user from their contact lists:
Figure 4. This page is displayed after the user logs in to the fake site.
What happens under the radar, however, is that the site captures the entered credentials and the accounts are then opened by a remote malicious user and IM messages containing a link to the Borradito phishing site are sent to all contacts on the affected account’s buddy list as shown below:
Figure 5. IM messages sent to infected users’ contacts.
This ensures further propagation of this threat. Directly at risk are MSN users and their contacts. The account information harvested in this account may be used to access various Windows Live services such as Windows Live Call (PC-to-phone calls), SkyDrive (file-sharing services), Spaces, and even Hotmail accounts under the same account.
Today, your email accounts hold many important tidbits on different aspects of your life, job, and personal details many people would prefer not to be divulged to others. Letting your guard down can be be very costly and can lead to exploitation. The worst possible scenarios include identity theft and financial loss. Trend Micro users are protected from this threat (all related URLs are already blocked by the Smart Protection Network).