A couple of days ago, Trend Micro reported an attack that appeared to be targeted and that involved email messages sent through a Webmail service. Upon further investigation, Trend Micro was able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.
“The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines,” Karl Dominguez, Trend Micro’s Threat Response Engineer said in a blog post.
The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.
“The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field,” Dominguez opined.
The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to a certain email address. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.
The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the said bug.
Dominguez said, “We analyzed the embedded crafted code before the actual email message’s content and discovered that onceHotmail’s filtering mechanism works on the code, it ironically helps inject a character into the CSS parameters to convert the script into two separate lines for further rendering in the Web browser’s CSS engine. This allows the cybercriminals to turn the script into something that allows them to run arbitrary commands in the current Hotmaillogin session.”
Microsoft has already acknowledged the presence of the vulnerability and has released a security update to address the issue.