Number spoofing, spam and email hacks

By Peter Griffin 10/12/2009

It’s been a bit of a paranoid time for me, helped in no small part by the deviousness of PC World  columnist Geoff Palmer, who used me and my colleague Aimee Whitcroft as guinea pigs in a phone number spoofing demonstration.

Geoff had flagged with us we might receive some unusual text messages, but the warning was soon forgotten. I was getting into the shower the other morning when my mobile beeped. I picked it up to see the following message displayed on the screen:

I’ve had it with your crumby job. I’ve found a better one. I quit!

The text message appeared to be from Aimee’s phone number. Around the same time, I later found out, Aimee received the following message, apparently from me:

Don’t bother coming in today. In fact, don’t bother coming back at all. You’re fired.

For 60 seconds or so I stood in the gathering steam of my bathroom puzzling over what could have caused my usually even-tempered colleague to throw in the towel – via text message. Then Geoff’s warning came back to me. Aimee, unfortunately didn’t click as quickly and it took a few follow up messages to avoid a fully-fledged employee relations meltdown.

I had to chuckle, but it could have been very different if the prank was pulled on a totally unsuspecting party. As Geoff outlines in his blog post, spoofing a person’s mobile phone number so it appears that a message was sent from you, is relatively straightforward. Imagine the personal and professional chaos you could cause!

Hotmail exploit

I was recovering from the spoofing incident when I discovered that someone had hacked into my seldom-used Hotmail account and had sent the following message to everyone in my Hotmail contact book:

Subject: Dear !k!
Hey! how are you today ?
I found a good website last week: ( )
One of my friend bought a notebook and he got the product in one week. Its quality is very good and the price is competitive.

Now , the Christmas day is coming, this website will be a good choice for you. I am sure you will get many surprise and benefits. please forgive me for this email if you are not interested in anything upon them


They also sell Laptop,TV,Games,Phones,Camera,Motorcycles and so on.
their product are fully with original quality

I was pretty annoyed by this as I imagined all of my colleagues and friends, past and present opening a bizarre, badly-worded piece of spam appearing to come directly from me. I’m still getting to the bottom of it – (Geoff own up now if it was your doing!) but this one isn’t a spoofing trick. My account was used to send out dozens of spam emails – I know this because there are dozens of delivery failure notifications in the inbox – bounce-backs from accounts that no longer exist.

So someone gained access to my Hotmail account and sent out dozens of spam messages, obviously as part of some automated spam program. It seems I’m not alone in being hacked in this way.

“…these are coming from the Hotmail website and have nothing to do with my PC. I’ve changed my Hotmail password and will cross my fingers that this doesn’t happen again. It’s something Hotmail needs to fix, because other than changing the password, there’s nothing I can do on this end.”

This appears to be a fairly common (of late) exploit in Hotmail or the Windows Live/MSN network allowing unauthorised access to the contact books of MSN users. As such it is pretty shocking. Like those writing in the Windows forum, I’m pretty sure my computer is virus and malware free. I’ve since changed my password and so far so good, but Microsoft needs to get to the bottom of what went on here – and tell its users about it.

Xtra account hacked?

Just today I received the following bizarre message, apparently from a scientist we have had regular contact with at the SMC:

Subject: Swift response

Sorry I didn’t inform you about my traveling to the UK. I’m presently in Royal Victoria Dock, England. And am having some difficulties here because i misplaced my bag on my way to the hotel where my money and other valuable things were kept.

Presently my passport and my things are been withheld by the hotel management pending when i make payment.

At the moment am not my self and I cant even think straight but  I will appreciate it, if you can loan me $3,325 to sort-out my hotel bills and to get myself back home and I will refund it upon my return.You can help me wire the money  through western union money Transfer to my personal details and to the hotel address bellow.

Name:  [name removed]

Address: 2 Festoon Way,  Royal Victoria Dock,
London   England.
United Kingdom

As soon as you get it done,send me the Transfer details Including the (money  Transfer Control Number).Get back to me as soon  as you can.


[name removed]

Now we haven’t been able to get in touch with the scientist whose account this email was sent from – he is based overseas much of the time, but it looks very much like a scam to me and one that uses in several place the first name of the account holder, suggesting this is no automated fraud attempt. Now that’s slightly worrying.

All of this serves to remind us how important keeping our digital identity secure is. The problem is, hacking and spoofing efforts seem to be getting more sophisticated all the time – how long before we have a hack attack of epic proportions affecting the hundreds of millions of webmail users around the world? A slightly worrying prospect indeed…

0 Responses to “Number spoofing, spam and email hacks”

  • The Hotmail hack? Not guilty! (But then I would say that, wouldn’t I …)

    The Xtra one’s interesting. It’s almost certainly a con, but you could have fun with the scammers by telling them you’ve sent the money but aren’t happy emailing the TCN. “There are lots of hackers about so phone me for the number …”

    My guess is the person concerned has either lost their laptop or fallen foul of the “evil maid” attack. The latter is particularly sneaky because the victim won’t be aware they’ve been hacked — and it even works on an encrypted hard drive. Bruce Schneier explains:

    “Earlier this month, Joanna Rutkowska implemented the ‘evil maid’ attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this:

    Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then shuts it down.

    Step 2: You boot your computer using the attacker’s hacked bootloader, entering your encryption key. Once the disk is unlocked, the hacked bootloader does its mischief. It might install malware to capture the key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later, or whatever.

    You can see why it’s called the ‘evil maid’ attack; a likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. The same maid could even sneak back the next night and erase any traces of her actions.”

    (more here: