The email, which has the subject line "CONFIRMATION ALERT RESET (2013)", is sent from a generic @msn.com email address. It urges the user to reply via email with their full name, username, password, date of birth and country in order to confirm their identity.
“It's a brand new year and you would like to think that computer users are getting smarter about securing their systems, and not falling for the age-old tricks used by cybercriminals,” said Sophos security researcher Graham Cluley, in a blog post. “However, we still see our fair share of elementary unsophisticated attacks designed to steal credentials from the unwary.”
In this latest case, the emails purport to be from the Windows Live Team, warning of account closure. The mail reads:
“We have recently confirmed that different computers have logged onto your Hotmail and MSN account and multiple password errors have been entered. We are hereby suspending your account; as it has been used for fraudulent purposes. Now we need you to reconfirm your account information to us. Click your reply tab, fill in the columns below and send it back to us or your email account will be suspended permanently.”
“Of course, Microsoft would never ask you to confirm your identity in this fashion – especially not by sending your password in an (unencrypted) email,” Cluley said. “But less security-savvy computer users might be duped into believing it is true, and respond with all the information the cybercriminals want, before having a chance to think twice.”
He added, “Don't be a cybercrime statistic, make sure that you, your friends and your family are wise to such tricks and don't share your login information with anybody.”
Even though phishing campaigns are expected to become more sophisticated, the MSN outbreak shows that the old-school ways still persist: i.e., phishing campaigns are traditionally delivered by mass spam campaigns, largely via hired botnets.
Going forward, simple phishing like the MSN gambit is becoming less effective as users begin to recognize the clues. In its place will be more targeted attacks. “If 2012 was the year of BYOD,” said Rohyt Belani, CEO at PhishMe, “2013 will be the year of mobile malware designed to take advantage of it. We have seen a growth in consumer apps that violate privacy, for example by tracking your GPS data, but in 2013 we will see criminals targeting mobile device users, specifically with the intention of getting inside their corporate email system.”