I quote that article:
> the malicious script steals the Yahoo session "cookies" from the browser
> and hands them off to the miscreants, who then use the account
> to pump out spam.
Below I give a proof that this supposition is wrong.
Here I'm talking about spam with usually nothing in Subject and
just a link in body (sometimes with a few generic words added,
possibly with a date or/and the genuine mailbox owner's signature).
In the full header you can see that the spam was sent from a real
user's mailbox using web-interface of usually yahooMail
(sometimes AOL or Hotmail/MSN/live.com). For example:
Received: from [220.127.116.11] by web122601.mail.ne1.yahoo.com
via HTTP; Sun, 03 Feb 2013 17:01:45 PST
In this example ".yahoo.com via HTTP" means that it's not spoofing,
the spam really was sent via the mailbox specified in "From:".
I can trace/analyse Received lines, they show that they weren't forged
by the spammer.
If you look up the IP-address from such line, it usually happens to be in
some random country other than where the rightful mailbox owner is.
The spam is sent to all addresses from the compromised mailbox's
webmail interface's address book. The spammer could change the mailbox's
password or set up Reply-To or vacation reply, but chose to not do so,
perhaps in order to keep low profile.
2 days ago I got proof that the spammer uses neither XSS nor Wi-Fi sniffing:
the rightful mailbox owner (in Australia) copied for me
"recent sign-in activity" in her Account Info:
> 5:54 PM Browser Mail Access Australia
> 12:01 PM Browser Mail Access PA,
> 12:01 PM Yahoo!7 Mobile Logged In PA,
> 12:01 PM Browser Mail Access IL,
> 12:01 PM Yahoo!7 Mobile Logged In IL,
> Yesterday 9:30 AM Browser Mail Access Australia
The lines with "PA" and "IL" are spammer's access (using zombies in USA).
The [18.104.22.168] in the example above corresponds with the Illinois here.
Those lines contain "Logged In". That means that the spammer's software
entered password, i.e. that the spammer stole password, not cookie.
XSS exploits and traffic sniffers can steal login cookie
but cannot steal passwords. Yahoo has protection against brute-force
cracking (password guessing): try to enter wrong password several times
in a row, your account will be locked for 24 hours.
The Signing In process is conversion of password into cookie.
I wrote software which Signs In to yahoo with a password, gets a login cookie
and uses the cookie to access members-only Groups pages. The spammer's
software also Signs In to yahoo, gets a login cookie and uses the cookie
to access yahooMail pages to send the spam.
An yahoo login cookie contains a hash and cannot be converted into password.
If the spammer had a cookie, he'd not need to Sign In.
But the spammer's software does in fact Sign In, as you see above.
Therefore, her password was stolen with a drive-by exploit
such as http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29
She said that she had up-to-date browser plugins.
Such spam is epidemic: careless users click links in such spams,
and their passwords get stolen too. Strong and unique passwords are stolen
as easily as any others.
The exploit can steal password only if the victim uses Windows.
I use another operating system instead of Windows on an usual computer,
so I'm immune to the exploit: for a proof I clicked a link in such spam,
but addresses in my yahoo webmail address book weren't spammed
though I don't Sign Out of yahoo.
I wasn't asked for any password, i.e. phishing isn't involved here.
Perhaps the "second sign-in verification" was designed to prevent
using of stolen passwords, but it's voluntary, not mandatory,
and works only in 14 countries. The spammer uses Yahoo!7 Mobile
) for Signing In, I can't check myself alone
whether "second sign-in verification" covers that way of Signing In too
(because my country isn't among those 14).
Currently, my only recommendations what to do in cases of
such spam to a yahooGroup are:
1) put the member on moderation forever
(the member is likely to have the mailbox compromised again);
2) post to the group that the member and everybody who clicked the
link in the spam must change mailbox password.
Usual advices are to use latest (and kept up-to-date) Firefox or Chrome
instead of Internet Explorer,
to keep browser plugins updated
and to use a really good antivirus monitor (not just antivirus scanner).
But passwords get stolen despite of that.
In the case above browser plugins were up-to-date,
but her password still was stolen.
Strong (long, complicate, unique) passwords are useless
(are stolen with drive-by exploits as easily as simpler passwords)
and give false sense of security.
The only sure cure is for group members to use any free operating system
instead of Windows on the same computer, for example
(paradoxically, in this case free is safe, paid is dangerous),
but don't hold your breath. :-(