Windows Live Password Reset Email



  • Anyone else think this email is slightly odd? <> denote personalised  info:

    ------------------------------------------------------

    Hello, <EMAIL ADDRESS>

    We received your request to reset your Windows Live password. To confirm your request and reset your password, follow the instructions below. Confirming your request helps prevent unauthorized access to your account.

    If you didn't request that your password be reset, please follow the instructions below to cancel your request.


    CONFIRM REQUEST AND RESET PASSWORD

    1. Copy the following web address:

    https://accountservices.msn<wbr>.com/EmailPage.srf?emailid<wbr>=<GUID>&urlnum=0

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.

    2. Open your web browser, paste the link in the address bar, and then press ENTER.

    3. Follow the instructions on the web page that opens.


    CANCEL PASSWORD RESET

    1. Copy the following web address.

    https://accountservices.msn<wbr>.com/EmailPage.srf?emailid<wbr>=<GUID>&urlnum=1

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.

    2. Open your web browser, paste the link in the address bar, and then press ENTER.

    3. Follow the instructions on the web page that opens.


    OTHER INFORMATION

    Windows Live is committed to protecting your privacy. We encourage you to review our privacy statement Privacy Statement at http://g.msn.co.uk/2privacy<wbr>/engb.

    For more information, go to the Windows Live Account site at https://account.live.com.


    Thank you,

    Microsoft Customer Support

    NOTE: Please do not reply to this message, which was sent from an unmonitored e-mail address. Mail sent to this address cannot be answered.
     

     



  • Seems pretty normal to me, other than the the URLs differing only in the 'urlnum' parameter and the whole thing being pretty verbose. The average ADD teen huffing Axe deodorant and hopped up on redbull isn't going to sit still long enough to read past the first pixel of the first letter of the first work, let along a few gigabytes of instructions on how to cut 'n paste links from an email.

    Ok, so I exaggerate, maybe *2* pixels. 



  • @MarcB said:

    Seems pretty normal to me, other than the the URLs differing only in the 'urlnum' parameter and the whole thing being pretty verbose. The average ADD teen huffing Axe deodorant and hopped up on redbull isn't going to sit still long enough to read past the first pixel of the first letter of the first work, let along a few gigabytes of instructions on how to cut 'n paste links from an email.

    Ok, so I exaggerate, maybe 2 pixels. 


    Aside from the copy and pasting a url from an unverified (and red-flaggy) email address and submitting data to that url, sure everything seems fine.



  • IMPORTANT: Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.
    Described above? Above where? That bit of text is right in the middle of the instructions...


  • Even better is that the urls are actual hyperlinks just begging to be clicked on



  • The real WTF:

     

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.
     

     ... but of course copy and paste isn't enough to stop a phish.  The instructions would have to get a bit lengthy with phrases like "now inspect the URL for any elements that could be a problem.  Perhaps the domain name www.godaddy.microsoft.com isn't really owned by microsoft.  Perhaps the letter o in www.microsoft.com is actually the Azerbaijaini sanskrit  Unicode for their vowel "owww".    Perhaps the URL looks fine up front but in the end redirects to  pirates.ru.  Yes, learn to be a internet detective and inspect every URL for many minutes before following any link.
     



  • @MarcB said:

    Seems pretty normal to me, other than the the URLs differing only in the 'urlnum' parameter and the whole thing being pretty verbose. The average ADD teen huffing Axe deodorant and hopped up on redbull isn't going to sit still long enough to read past the first pixel of the first letter of the first work, let along a few gigabytes of instructions on how to cut 'n paste links from an email.

    Ok, so I exaggerate, maybe 2 pixels. 

    I think when you don't want to cancel an account (or subscribe, or make any other significant decision), you usually just need to discard the letter, not follow some link. Perhaps, Microsoft is building a spambase of their users? 8=]



  • @Lingerance said:

    Aside from the copy and pasting a url from an unverified (and red-flaggy) email address and submitting data to that url, sure everything seems fine.

    Well, in theory, this email would have come as a response to you hitting a "I forgot my password" link on the site. Unless the net's totally congested right then, this reminder email would've shown up with a minute or so of you having hit the link. The odds of a phishing mail showing up, for the exact same service you just requested the reminder for, are pretty low.

    Now, of course, if this was totally unsolicited. ie: it is a phishing attempt, or some numbnut entered your email addy by mistake (s00pahcoold00d325@hotmail.com and s00pahcoold00d326@hotmail.com are so easy to confuse, after all), then yeah, I'd be a bit suspicious.

    Besides, pretty much every talking head on the "OMG YOU CAN GET HAXX0RED!!!!!" segments on the news are advocating you cut'n'paste links from emails in any case. If the mail's legit, then somehow you're going to have go get the confirmation code (or whatever) from the reminder mail into the browser.

    If it's fake, then go ahead and click, or cut'n'paste, or re-type, either way, you're pwned. At some point the luser has to take a bit of responsibility for doing SOME basic due diligence.
     



  • They're specifically giving advice relating to avoiding attacks where the link address is different to the link text. Of course if they're the same then you'll go to the same place, but often phishing emails have links that go somewhere else than the text would imply (having the link text looking like a legitimate link). The advice is good, but obviously not a substitute for checking properly before going there. Either way I call not a wtf.



  • The last two links don't have the "don't click on me" thing?



  • @Spectre said:

    I think when you don't want to cancel an account (or subscribe, or make any other significant decision), you usually just need to discard the letter, not follow some link.

    Agree, TRWTF. 



  • @Matevžk said:

    @Spectre said:

    I think when you don't want to cancel an account (or subscribe, or make any other significant decision), you usually just need to discard the letter, not follow some link.

    Agree, TRWTF. 

    There are scenarios where that is not sufficient. For example:

    Attacker requests a password reset in your name.

    Attacker has broken into your email, and intends to reset your password.

    If there's no way to cancel the request, there's no defense. But if you get to the email before the attacker, and cancel the request, you're OK. It's a bit far fetched I know, but withing the realm of possibility.
     



  • I like this: 

     


    @jackie said:


    1. Copy the following web address:

    https://accountservices.msn<wbr>.com/EmailPage.srf?emailid<wbr>=<GUID>&urlnum=0

    IMPORTANT:  Because fraudulent ("phishing") e-mail often uses misleading links, Microsoft recommends that you do not click links in e-mail, but instead copy and paste them into your browsers, as described above.

     

    And then this:

     

     


    @jackie said:




    Windows Live is committed to protecting your privacy. We encourage you to review our privacy statement Privacy Statement at http://g.msn.co.uk/2privacy<wbr>/engb.


     

    So what is the difference between that link and any other link that they "recommend" you don't click on? 

     



  • It says 'as described above', when actually it is described below.



  • @Lazy-lump said:

    It says 'as described above', when actually it is described below.

    Well...

    Right above that "as described above" bit, it says "1. Copy the following web address:" and right below it, it says "2. Open your web browser, paste the link in the address bar, and then press ENTER", both of which are part of the instructions. So the "as described above" bit is actually in the middle of the instructions...



  • @m0ffx said:

    There are scenarios where that is not sufficient. For example:

    Attacker requests a password reset in your name.

    Attacker has broken into your email, and intends to reset your password.

    If there's no way to cancel the request, there's no defense. But if you get to the email before the attacker, and cancel the request, you're OK. It's a bit far fetched I know, but withing the realm of possibility.

    That very scenario happened several times to various players of a certain online game that prides itself on its "real cash economy".  They'd gain access to the email account, request a new in-game password and then transfer all that players items and money to another in-game avatar.  They would auction off the players items for whatever they could get from the in-game auction system and then withdraw all the money out of the game.  By changing the password it did two things (1) let them access the players avatar and (2) it locked the player out of the game so they couldn't stop what was going on.  When the real players tried to log in they would get a message stating that they were already logged in.  A few created secondary avatars and after some wandering actually found their original avatars in-game.  I don't remember the finer details beyond them being a proper show-off and openly telling them stuff like "yer I hacked your account, so what?".



  • @RandomPoster said:


     

     

    So what is the difference between that link and any other link that they "recommend" you don't click on? 

     

    That link doesn't contain information that can be used to reset your account password. Come on man, this isn't rocket science. None of this is a WTF. 



  • @Tann San said:

    "yer I hacked your account, so what?".

    Internet pirates strike again.  "Yar, I be not payin' for this content, ya lubber!"


Log in to reply