aa419 has recently been noticing a trend of scammers abusing Microsoft’s Office Live hosting. Over the next few days I will be writing a series of blog posts attempting to explain what their hosting offers, the serious problems that it has, and the dangers posed to the general public.

We’ll start off with an introduction to the service and to the problem:
The Service, and Why Scammers Use It

Microsoft Office Live (MSOL) offerings come in a range, with better services for a higher price. The full details of all Office Live packages can be found here. (My apologies if you don’t/can’t use Microsoft Internet Explorer.) The lowest tier provides a free domain name, 25 email accounts, and web hosting space for the user. Account setup is almost instantaneous; users can send email from their personalized domain immediately, and the related website is up as soon as DNS resolution completes (which is not within the control of Microsoft, but depends on international networks). Paid services include interfacing and document sharing through Microsoft Office products in addition to the basic hosting package.

The one very unusual feature of MSOL is that they provide their users with a free domain name. Other free hosting packages (and there are plenty out there) restrict users to sub-domains (for example, uklotto.somecompletelyfreehost.net), because registering a unique domain costs money. Essentially, MSOL has a business model to pay people to use their service. I’m not an economist or MBA, though, so I won’t delve into that much further.

So why do scammers like this free service so much? Partly, because internet criminals tend to be stingy even when they are paying with somebody else’s money. (Weird but true.) All the fraudsters want is that veneer of respectability that comes with having an internet presence. Scammers use email and websites as the fundamental infrastructure of their fraud.

Which would you trust more: or ? Well, hopefully neither — but the latter domain name is a lot more plausible! For free, MSOL provides plausibility in the form of a unique domain name. And there are statistics to prove it’s widely popular in the world of 419, as Joe Wein has noted in his blog:

amongst domains connected to Advance fee scams that I was adding to the SURBL blacklist, more than half were hosted at OfficeLive, i.e. more than for all other webhosts combined!

Of course, it is not MSOL’s goal to support crooks out of its own pocket; they’re trying to get small businesses to use their services. They attempt to prevent abuse of the free system by verifying all those who sign up for their hosting packages. The verification process is to request a credit card number. For the free packages, a $1.00 authorization charge is made to test whether the account is valid and active. (Note that this is not a billing charge. An authorization charge only confirms there is credit available, it does not request payment.)

While this sort of verification is better than nothing, it isn’t much better. In the age of phishing and identity theft on an industrial scale, compromised credit card numbers are widely available. But typically, fraudulent domain name purchases show up on a victim’s monthly credit card statement, alerting them to the identity theft and resulting in cancellation of the fraudulently purchases. The MSOL procedure of an authorization charge — which never shows up on a monthly statement — gives no chance for ID theft victims to notice the abuse. It also means that MSOL won’t ever learn that the credit card number was fraudulently used, because there is no possibility of a chargeback on authorization charges.

At the end of the day, MSOL has no idea who is really using its services.

Of course, fraudulent hosting signups are not limited to MSOL; it is part of being a webhost these days. I can’t blame MSOL for criminal signups, but I can (and will, in my next post) blame them for their reactions (or lack thereof) to abuse complaints.

So stay tuned for more tomorrow!

This entry was posted on Sunday, February 10th, 2008 at 12:01 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.