> From: Chris J Brady <chrisjbrady@...>
> The hackers of Yahoo accounts are not guys sitting at a PC keyboard
> randomly typing in characters like the proverbial monkeys typing in
> the complete works of Shakespeare. Neither is it a computer
> generating random letter passwords and trying them until one fits.
> The vulnerability is that a user having clicked on an embedded URL
> in an email is taken to a rogue webpage. Or maybe has not even
> clicked on an embedded URL and in the course of surfing has
> been taken to a rogue webpage. This has installed a virus (a
> This is turn sends the the Yahoo cookie file containing the account
> name and password to the hackers.
Not cookie, but yahooID and password, not hashed.
Then another piece of malware uses a bot in another victim's computer
(in a random country) to give the yahooID and password to the
m.yahoo.com website (for mobile devices) and get an yahoo cookie
(containing a hash) in return. That leaves a line "Mobile Logged In"
in first victim's "Recent sign-in activity" (linked from Account Info).
Then (usually via the same bit, sometimes via another bot in another
country, but in under a minute) it uses that cookie to access
regular mail.yahoo.com website to harvest email address from
letters in Sent and Inbox folder (and possibly Contacts too) and spam them.
That leaves another line "Mail Access" in first victim's
"Recent sign-in activity".
I can't test myself because my country isn't in the list
(yahoo cannot send me a SMS).
Please somebody who "Set up your second sign-in verification"
Sign Out, then on the m.yahoo.com/mail website sign in,
preferably via another ISP.
Does the m.yahoo.com website (used by the felon too)
require to type something from SMS?
> The virus script does two other things. Periodically - until removed
Until the password is changed. The trojan which stole the password
doesn't send the spam, it only phones home the stolen password.
Another piece of malware does this:
> it sends an email out - with a one line URL to another roge
> website - to one, many, all contacts in the user's address book.
Or/and addresses harvested from letters in Send and Inbox folders.
> code that represent the virus. Perhaps someone here can say. Virus
> protection apps will not detect it.
The felon tests the drive-by exploit kit
and (stealthy encrypted polymorphic) trojan it installs
aganinst multiple antiviruses
and makes sure that the exploit kit and trojan
can evade or disable all the antiviruses.
Antivirus vendors lost the war.
> However I understand that one protection is to ALWAYS log out of a
> Yahoo session after finishing which apparently then kills the cookie
> containing the user's account and password.
The trojan steals password, not cookie. So, to Sign Out is useless
in this case.