Microsoft’s instant messenger in the tricksters' focus

06/23/2010
G DATA Blog

Recently, we discovered an increase in spam and phishing sites related to the MSN Messenger or rather the Windows Live Messenger. There is a new wave of spam with fake friend requests and fake sites with shady services to uncover possible disloyal messenger friends.

The e-mails flooding into our systems lure the recipients with subject lines like:

  • THEODORA BOUCHER added you as a friend on Windows Live
  • Silje HUTCHINSON added you as a friend on Windows Live
  • ADELINA Keene added you as a friend on Windows Live

The list of different names is very long. The included links, as far as the referral sites are still active, all lead to a software selling site with a Russian TLD: buy-softwarestore.ru
This store is known to operate with various similar domains to attract customers with insanely cheap prices for high quality software products. It is, of course, not a good idea to leave any personal information or even credit card information on this site and to attempt to buy software.

In addition, the other observation we made refers to phishing sites which try to get IM user credentials by offering a kind of spy service. There are two different services on offer. By providing your account’s user name and password you may…

  • See a list of all users who blocked your account
  • See a list of people who deleted the provided account from their own list of friends


Using a generic test account ("Michael") to try out these services returned disappointing results, as expected. The “who-blocked-you” service was not able to identify that, from the two contacts on Michael’s list, one actually blocked him and one did not. The names were both listed.

And the “who-deleted-you” service did not even post any information about contacts – it just asked the user to wait until the page was completely loaded. Well, it was loaded immediately and nothing else happened.


But, even several hours later, none of the used services logged into Michael’s account, yet. Should it be true, that they do not save or use any credentials for anything else than the contact list checks? We will see. But probably, Michael’s account is not interesting enough, with only two contacts.