3

Backstory

So 3 weeks ago I received an email from Microsoft Imagine, requesting me, as a student, to update my profile on their website because they recently had changed from dreamspark.

That message in itself is real, but the email and the email sender did not seem to be real. I contacted a Microsoft employee at their answer desk, and they said they could not find the email account in their database, nor did they recognize the links I provided which by the way all looked like this:

https://click.email.microsoftemail.com/?qs=(Long string of numbers and letters, each different for each link in the email)

I normally don't click links in emails unless prompted to immediately after registering or resetting or whatever else immediate action I have taken on other legit websites. Nevertheless, I somehow let my guard down and clicked a link.

Event

What happened was that it appeared as if my window refreshed. That was all.

My browsing history didn't register that I went to another site (just 2 consecutive instances of the same email-account website I opened my mail with); my download history and download folder did not have any new additions; no new installed program has appeared in my programs and features; and nothing was added to my startup folders or startup in task manager.

A runthrough by malwarebytes anti-malware premium (which I only bought after clicking the link) didn't find anything, nor did windows defender.

Question

What I would like to know is what could have happened? Could malware have sneaked its way in? And if so, how do I find out about it?

I was told that one possible consequence could have simply been that my email was validated as real by the scammers, for future email scam use. I can live with that annoyance. But I don't like the idea of some ransomware, keylogger or botnet malware hiding itself on my computer.

What is possible that could have happened from such an event, and what can I do to damage control it?

I have seen that at least another poster has asked a similar question, but I was wondering about the specifics of my incident.

Anders
  • 64,406
  • 24
  • 178
  • 215
Angelnight
  • 31
  • 4
  • 3
    They have your email and IP, that's for sure. – sysfiend Dec 02 '16 at 16:49
  • 3
    Now they have your details like which OS,Browser,IP,email extension details , do you have flash on or not most probably which can be used in future attack. Hence it better to user User Agent Changer as one of the method to prevent for leaking such details . – Nabin KC Dec 02 '16 at 17:34
  • Not quite a duplicate maybe, but I think [my answer to this question](http://security.stackexchange.com/questions/134808/i-accidentaly-clicked-on-an-ad-on-webmds-website-on-an-iphone-any-chance-of-ma/134826#134826) might help you. – Anders Dec 02 '16 at 19:25
  • I appreciate the advice for future security measures but I already have upgraded my security ever since the incident. For my post I was more interested in diagnosis and damage control for that particular event, rather than future prevention. If there is indeed any damage done. And as I wrote in my post, I can't tell if I actually visited a website - there are no logs about it in my browsing history. I can only see 2 consecutive instances of my email URL there. But I can surmise from Anders' link that there always is a possibility with zero hour/day attacks, but also that it is unlikely. – Angelnight Dec 03 '16 at 19:21

1 Answers1

1

Agree with the advice given so far. Someone has validated at least your email address against a database, this has value in itself.

They may also have captured additional information including those mentioned. Other possible information may have come from well-known cookies and other persistent information.

The links, of course, all contain specific tracking GUID's so they have matched your email address and browser details against their "campaign" as well. I would expect that you will see, at some future point, a big increase in spam and phishing attacks against that email address.

There is a small possibility that a rootkit might have been installed that might only activate later. I wouldn't rely on a single malware checker, run a few.

Looks to me as though you were relatively lucky in this instance. Here are some things you can do to avoid stuff like this being a disaster:

  • Use a different email address for every vendor contact. Many email services allow you to use a + symbol following your name and then you can put what you like after it. So using something like mymailaddress+vendor1@mydomain.com for example allows you to keep things separate and should an "address" be compromised, you can then blacklist it.
  • Use a good adblocker in your browser. Better still use one on your router if you can (most can't but a few can such as the Ubiquiti EdgeRouter's) and/or also use OpenDNS with some of their blocks in place.
  • Check occasionally using multiple anti-malware tools. You mentioned Malwarebytes, Hitman Pro is another good tool. There are plenty of others and most allow you to run a check without paying.
Julian Knight
  • 7,092
  • 17
  • 23