Earlier this year, I received a message from an old friend, someone who I hadn't heard from for a few years. She wanted me to know about this great new website she had found that offered “all kinds of digital products” and “offer most competitive and reasonable price and high quality goods for our clients”.

English isn't my friend's first language — it might be her fourth — but it was the content of the message more than the grammatical errors that led me to guess that the message wasn't really from her. It looked just a little too similar to a number of other messages that I'd seen recently, all promoting what I've come to refer to as 'fake storefront' scams — fake e-commerce sites that advertise expensive electronics or other goods at too-good-to-be-true prices. Unsurprisingly, people who order from these stores never get what they ordered, and any enquiries just produce silence (or, in a twist taken straight from the 'advance fee fraud' playbook, demands for additional money for 'customs duties').

My friend confirmed that she hadn't sent the message, and that a number of her other contacts had also received it. It started to look as if something had gained access to her Hotmail address book, and was firing off spam pretending to come from her.

The site being promoted was vanigo.com. Since then, I've had a number of reports from people who say that something is sending spam with their address in the 'From' line. Most of the reports have been related to another 'fake storefront' site, maddeast.com; all of them have come from Hotmail users.

It looks increasingly as if this isn't the usual backscatter problem, but as if the scammers are actually taking control of Hotmail accounts. It's not clear yet whether they've obtained Hotmail passwords by phishing, through the use of a dedicated Trojan, or by some other means. Either way, if you find yourself unintentionally shilling Chinese scam sites, you'd be very well-advised to change your Hotmail password immediately (from a computer that you know to be 'clean') and then conduct a thorough virus sweep of any computer that you use. While you're changing your password, remember to reset your security question and check any alternate email addresses that may have been configured, just in case.

Incidentally, the 'fake storefront' scam seems to be taking off currently. Over the last few days, I've seen more and more messages advertising more and more different domain names associated with this scam (some of them are listed on this page of fake storefront scam sites). 'maddeast.com' is one of the most frequently-used search terms bringing people to this site. I have also, unfortunately, received a number of messages from people who were taken in by the scam: they sent off their money (usually via Western Union, always the scammer's favorite) and got nothing in return.

I think it's time we put these people out of business. Let your friends and family know about this scam. If you get mail advertising a new scam site, add a report to SiteAdvisor or similar spam/scam reporting sites. And if you use Hotmail and you start getting odd non-delivery reports, secure your computer and change your password as soon as you can.