国内近期针对微软账户 Hotmail 进行扫号操作

2024-06-23 18:19:45 +08:00
 huangxiao123

原由:昨天晚上的时候,发现微软的 Authenticator 弹出了个莫名其妙的认证请求,一开始疑惑是谁在登录,并且开始回想起本人平常有没有泄露账户,经排查,没泄露过该账户出去,该账户只用于微软家族的产品登录,没用于其他地方,疑似是通过 csrf /数据泄露获取到邮箱号

通过 https://account.live.com/Activity 进行排查,发现两个 IP 登录操作,如下

whois 信息如下

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '114.96.0.0 - 114.103.255.255'

% Abuse contact for '114.96.0.0 - 114.103.255.255' is 'anti-spam@chinatelecom.cn'

inetnum:        114.96.0.0 - 114.103.255.255
netname:        CHINANET-AH
descr:          CHINANET Anhui PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
admin-c:        JW89-AP
tech-c:         JW89-AP
abuse-c:        AC1573-AP
status:         ALLOCATED PORTABLE
remarks:        service provider
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-AH
mnt-routes:     MAINT-CHINANET-AH
mnt-irt:        IRT-CHINANET-CN
last-modified:  2021-06-15T08:06:13Z
source:         APNIC

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@chinatelecom.cn
abuse-mailbox:  anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
mnt-by:         MAINT-CHINANET
last-modified:  2024-04-15T01:54:23Z
source:         APNIC

role:           ABUSE CHINANETCN
address:        No.31 ,jingrong street,beijing
address:        100032
country:        ZZ
phone:          +000000000
e-mail:         anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
nic-hdl:        AC1573-AP
remarks:        Generated from irt object IRT-CHINANET-CN
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
abuse-mailbox:  anti-spam@chinatelecom.cn
mnt-by:         APNIC-ABUSE
last-modified:  2024-04-15T01:55:05Z
source:         APNIC

person:         Jinneng Wang
address:        17/F, Postal Building No.120 Changjiang
address:        Middle Road, Hefei, Anhui, China
country:        CN
phone:          +86-551-2659073
fax-no:         +86-551-2659287
e-mail:         ahdata@189.cn
nic-hdl:        JW89-AP
mnt-by:         MAINT-CHINANET-AH
last-modified:  2014-02-21T01:19:43Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.25 (WHOIS-JP3)

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '111.126.0.0 - 111.127.255.255'

% Abuse contact for '111.126.0.0 - 111.127.255.255' is 'anti-spam@chinatelecom.cn'

inetnum:        111.126.0.0 - 111.127.255.255
netname:        CHINANET-NM
descr:          CHINANET NeiMengGu province network
descr:          Data Communication Division
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
admin-c:        CH93-AP
tech-c:         CH93-AP
abuse-c:        AC1573-AP
status:         ALLOCATED PORTABLE
remarks:        service provider
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
notify:         cyg@nmgtele.com
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-NM
mnt-routes:     MAINT-CHINANET-NM
mnt-irt:        IRT-CHINANET-CN
last-modified:  2021-06-15T08:05:56Z
source:         APNIC

irt:            IRT-CHINANET-CN
address:        No.31 ,jingrong street,beijing
address:        100032
e-mail:         anti-spam@chinatelecom.cn
abuse-mailbox:  anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
auth:           # Filtered
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
mnt-by:         MAINT-CHINANET
last-modified:  2024-04-15T01:54:23Z
source:         APNIC

role:           ABUSE CHINANETCN
address:        No.31 ,jingrong street,beijing
address:        100032
country:        ZZ
phone:          +000000000
e-mail:         anti-spam@chinatelecom.cn
admin-c:        CH93-AP
tech-c:         CH93-AP
nic-hdl:        AC1573-AP
remarks:        Generated from irt object IRT-CHINANET-CN
remarks:        anti-spam@chinatelecom.cn was validated on 2024-04-15
abuse-mailbox:  anti-spam@chinatelecom.cn
mnt-by:         APNIC-ABUSE
last-modified:  2024-04-15T01:55:05Z
source:         APNIC

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@chinatelecom.cn
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
mnt-by:         MAINT-CHINANET
last-modified:  2022-02-28T06:53:44Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.25 (WHOIS-JP3)

使用 https://ip.sy/查询的地理位置如下

ASN 均为: AS4134

微步:

腾讯威胁平台:

查询总结:

111.127.50.125 对应 ICP:

两者 IP 只开了 53 TCP + 1041 TCP

疑似是一伙人,不知各位 V 友怎么看待,疑似是国内某个扫号团伙拿到了微软泄露的数据库进行批量登录验证爆破

20736 次点击
所在节点    信息安全
144 条回复
huangxiao123
2024-06-24 21:19:09 +08:00
@leimu012 #110 你这个比较危险了
huangxiao123
2024-06-24 21:19:27 +08:00
@hendry #119 感谢补充 IP
huangxiao123
2024-06-24 21:19:46 +08:00
@404www #118 楼下有专业的兄弟回复了你,我也不太懂这个
yjxjn
2024-06-24 21:23:58 +08:00
确实。我别名有很多,都以密码错误失败告终了。但是我目前有 2FA ,防止楼上说的弹窗误操作 OK 的问题,特意一直用的 code 验证。

https://imgur.com/a/Xmsa2s4
javeil
2024-06-24 22:18:00 +08:00
微软账号强制 mfa 了吧 要是拿到密码撞库撞上了也没啥意义。。
xiafengjieying
2024-06-25 06:57:00 +08:00
@fairytale 我也是
oldboy627
2024-06-25 07:08:06 +08:00
@greeny1025 英国那个自动同步,是不是说明登录成功了
terryl
2024-06-25 08:34:20 +08:00
@essethon 的确这是目前为止端侧唯一有效避免继续被扫的操作了。
ShareDuck
2024-06-25 08:54:31 +08:00
Hotmail 好像从来就没停过。https://imgur.com/GVm0LEg
Mar5
2024-06-25 09:04:21 +08:00
outlook 最近一直都有克罗地亚、德国、乌克兰的,还全是 IPv6 。
Andrue
2024-06-25 09:11:10 +08:00
最近半年有些游戏论坛也在讨论这个情况,说明攻击者的爆破行动早就开始了
journalist
2024-06-25 09:15:22 +08:00
去年有段时间经常有美国 IP 尝试密码登录,后来我开启了无密码,也遇到过几次弹验证器。最近倒是没有。
Andrue
2024-06-25 10:16:18 +08:00
两个账号检查了下这四个月平均每天二十次登录尝试,怕了怕了
还是开无密码吧
guguxia
2024-06-25 10:40:01 +08:00
开了无密码登录,没弹过验证器
yazoox
2024-06-25 11:49:18 +08:00
为什么只有 Microsoft 的邮箱碰到了这个问题,其它的比如 gmail 有这个现象么?
suchasplus
2024-06-25 16:24:17 +08:00
我的 MS Authenticator 也弹了,当场点了拒绝。
然后 gmail 收到个邮件,说我的 EA 因为安全问题被禁用了,需要改密码
luckyc
2024-06-25 17:38:20 +08:00
和楼主一样, 我也收到了登录二次认证提示.
404www
2024-06-25 18:59:57 +08:00
@essethon 感谢回复!
huangxiao123
2024-06-27 11:10:08 +08:00
截止目前 6.27 ,没收到二次认证提醒了
bluebee
2024-07-01 19:08:28 +08:00
幸好从来不用 APP 上确认当两步验证,一不留神就可能点击同意。由于微软账号名称简洁,经常遇到这种情况,还有每天的大量垃圾邮件和钓鱼邮件。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1051891

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX