I recently received the following email, supposedly from MSN, is it
No, it’s not.
Let’s have a look at that email, and the various signs therein that tell us
that it’s not legitimate. Looking for those same kinds of things in other
emails can help you decide if something is safe, or a potential phishing
An Example of (Bad) Phishing
First, here’s the complete email:
To: *****@hotmail.com From: VIV0RB@billing.microsoft.com () Subject: Account updates!!!!! Below is the result of your feedback form. It was submitted by (VIV0RB@Billing.msn.com) on Tuesday, July 27, 2010 at 08:16:37 --------------------------------------------------------------------------- : Dear Member. We Here at MSN, are sorry to inform you that we are having problem's with the billing information on your account. We would appreciate it if you would go to our website and fill out the proper information that we need to keep you as an MSN member.Please Update your account information by visiting our updates web site below. (You may have to click on the Show content Link first). James Brady. Updates Center Account Team. msn Number.HCIDYW <br>http://msnhotmailive.tk/<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>RZAZHZ ---------------------------------------------------------------------------
An Email Chock Full of Bogus
There are many, many problems with this email. I’ll run them down from top to bottom:
Format: – that this message is in plain text is at least suspicious. Hotmail, MSN, Windows Live – these services, and most other, typically send email notifications in “rich text” or HTML formats. Basically, any deviation from what a service normally does should at least raise a little suspicion.
To: *****@hotmail.com – Most of us have display names associated with our accounts. If you do, you should expect to see that on email from the service. For example, in my case I would expect to see my name, either by itself or with the email address following in a format more like this: To: Leo Notenboom <*****@hotmail.com>.
From: VIV0RB@billing.microsoft.com () – this is in all likelihood a bogus address. “VIV0RB” makes no sense – normally this will either be someone’s name or a department name – something readable. Similarly I’m fairly certain that “billing.microsoft.com” doesn’t exist as a mailing address. Even if it does, the folks who run Hotmail/MSN/Windows Live don’t normally use “microsoft.com” email addresses for official notifications – they typically use addresses relating to the actual service itself. And there are never stray parenthesis “()” at the end of their email names.
Subject: Account updates!!!!! – The subject line is somewhat meaningless, but the biggest indicator here are the 5 exclamation points. Official business correspondence would never be that informal or use that as some way to get your attention.
“Below is the result of your feedback form.” – Bad grammar is always suspect in notifications like this. (If you’re not a native English speaker, ie should read something like “Below are the results of your feedback form submission.”)
What feedback form? – The fact that you never dealt with a feedback form should be a huge red flag.
“It was submitted by (VIV0RB@Billing.msn.com) on Tuesday, July 27, 2010 at 08:16:37” – this is kinda funny: this email was received before the form was supposedly submitted. Naturally, another sign of a potentially bogus email.
“: Dear Member.” – no idea what the “:” is doing there, it would not appear in an actual notification. If the email is supposedly for you about a specific issue with your account, then the email should name you by name, not as “Member”. Hotmail has never referred to it’s users as “Member” either. Subscribers, users, account holders … but never member.
“We Here at MSN …” – Microsoft has rebranded MSN as Windows Live. You should never see official email from “MSN” relating to your account. For all practical purposes, MSN doesn’t exist any more.
“We Here at MSN …” – multiple grammar errors, odd capitalization, odd line breaks are all great signs that this is a completely bogus email.
“…visiting our updates web site below.” – Asking you to click a link is a sign to be wary. The proper way to do this is to not provide a URL, but rather just instruct you to go log in to your account for more information.
“(You may have to click on the Show content Link first).” – instruction explicitly suggesting that you bypass your email’s anti-malware protections are suspect.
“msn Number.HCIDYW” – If MSN still existed it would be capitalized in any official email. MSN never had numbers. “HCIDYW” is not a number.
“<br><br><br>…” – A random string of HTML would never show in an official email, plain text or otherwise.
The Big Clue
That URL should be an immediate clue that this is a very, very bogus email.
Anyone can throw the words “msn” “hotmail” and “live” into a domain name and register it if it’s not been registered already – that doesn’t make them Microsoft, or MSN or Hotmail or Windows Live for that matter.
Also, since MSN Hotmail has been rebranded Windows Live Hotmail, MSN and Live would not appear together in a legitimate domain related to the service.
Only go to domain names that you recognize: live.com, hotmail.com, microsoft.com, msn.com. If it’s not one of those, (for something MSN, Hotmail or Windows Live related) it’s probably bogus. Know the domains that your service uses, and view all others with great skepticism.
The Biggest Clue
That domain ends in “.tk”.
From Wikipedia: “.tk is the Internet country code top-level domain (ccTLD) for Tokelau, a territory of New Zealand located in the South Pacific.”
Microsoft, MSN, Windows Live, Hotmail – or for that matter Yahoo or Gmail or whatever service you’re probably using – does not send their customers to “.tk” domains. Tokelau? I don’t think so. (No offense to the fine people of Tokelau. It’s likely that the phisher isn’t even in your territory.)
Someone registered the domain, set up a phishing site, and sent some really bad phishing emails in the hopes that you would fall for it, visit that site and then proceed to give away your real Windows Live Hotmail login information.
Don’t go there.
Not All Are This Bad
This particular example is really, really bad. Full of grammatical errors, obvious misrepresentations, clear inconsistencies with current product names, and more. It’s easy to see that this is phishing.
While many are this laughably awful, many are not.
In addition, while many of the “clues” I list above are mostly true, they are not hard and fast rules. Perhaps an legitimate official message has a typo, perhaps a service does send you to another domain that they actually do own, perhaps they really do use obscure email names like “VIV0RB”. All of those clues, and others, should be just that: clues. Clues that cause you to be suspicious. Clues that cause you to scan carefully for other clues.
Clues that, when they all add up, point to phishing.
In which case: press Delete, and get on with your life.