Loading ...
Sorry, an error occurred while loading the content.

Why Yahoo email accounts are being hijacked - Technology on NBCNews.com

Expand Messages
  • Donna Lee
    http://m.nbcnews.com/technology/technolog/why-yahoo-email-accounts-are-being-hijacked-1B8219490?partner=skygrid You might find this interesting. I hope it is
    Message 1 of 4 , Feb 2, 2013
    • 0 Attachment
      http://m.nbcnews.com/technology/technolog/why-yahoo-email-accounts-are-being-hijacked-1B8219490?partner=skygrid

      You might find this interesting. I hope it is still available when this gets posted.

      This discusses the reason for the hijacked emails. I knew it had something to do with Yahoo security in my case! Yahoo just would not admit it to me!!!


      Donna Ford Lee ♂+♀=♡
      Tulsa, OK

      Don't cry because it's over,
      smile because it happened.

      Sent Via My iPhone
    • lena_kiev
      ... Below I give a proof that this supposition is wrong. Here I m talking about spam with usually nothing in Subject and just a link in body (sometimes with a
      Message 2 of 4 , Feb 6, 2013
      • 0 Attachment
        > http://www.nbcnews.com/technology/technolog/why-yahoo-email-accounts-are-being-hijacked-1B8219490

        I quote that article:

        > the malicious script steals the Yahoo session "cookies" from the browser
        > and hands them off to the miscreants, who then use the account
        > to pump out spam.

        Below I give a proof that this supposition is wrong.

        Here I'm talking about spam with usually nothing in Subject and
        just a link in body (sometimes with a few generic words added,
        possibly with a date or/and the genuine mailbox owner's signature).
        In the full header you can see that the spam was sent from a real
        user's mailbox using web-interface of usually yahooMail
        (sometimes AOL or Hotmail/MSN/live.com). For example:

        Received: from [69.171.163.162] by web122601.mail.ne1.yahoo.com via HTTP; Sun, 03 Feb 2013 17:01:45 PST

        In this example ".yahoo.com via HTTP" means that it's not spoofing,
        the spam really was sent via the mailbox specified in "From:".
        I can trace/analyse Received lines, they show that they weren't forged
        by the spammer.

        If you look up the IP-address from such line, it usually happens to be in
        some random country other than where the rightful mailbox owner is.
        The spam is sent to all addresses from the compromised mailbox's
        webmail interface's address book. The spammer could change the mailbox's
        password or set up Reply-To or vacation reply, but chose to not do so,
        perhaps in order to keep low profile.

        2 days ago I got proof that the spammer uses neither XSS nor Wi-Fi sniffing:
        the rightful mailbox owner (in Australia) copied for me
        "recent sign-in activity" in her Account Info:

        > 5:54 PM Browser Mail Access Australia
        > 12:01 PM Browser Mail Access PA,
        > 12:01 PM Yahoo!7 Mobile Logged In PA,
        > 12:01 PM Browser Mail Access IL,
        > 12:01 PM Yahoo!7 Mobile Logged In IL,
        > Yesterday 9:30 AM Browser Mail Access Australia

        The lines with "PA" and "IL" are spammer's access (using zombies in USA).
        The [69.171.163.162] in the example above corresponds with the Illinois here.
        Those lines contain "Logged In". That means that the spammer's software
        entered password, i.e. that the spammer stole password, not cookie.
        XSS exploits and traffic sniffers can steal login cookie
        but cannot steal passwords. Yahoo has protection against brute-force
        cracking (password guessing): try to enter wrong password several times
        in a row, your account will be locked for 24 hours.

        The Signing In process is conversion of password into cookie.
        I wrote software which Signs In to yahoo with a password, gets a login cookie
        and uses the cookie to access members-only Groups pages. The spammer's
        software also Signs In to yahoo, gets a login cookie and uses the cookie
        to access yahooMail pages to send the spam.
        An yahoo login cookie contains a hash and cannot be converted into password.
        If the spammer had a cookie, he'd not need to Sign In.
        But the spammer's software does in fact Sign In, as you see above.

        Therefore, her password was stolen with a drive-by exploit
        such as http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29
        or http://en.wikipedia.org/wiki/Blackhole_exploit_kit
        She said that she had up-to-date browser plugins.

        Such spam is epidemic: careless users click links in such spams,
        and their passwords get stolen too. Strong and unique passwords are stolen
        as easily as any others.

        The exploit can steal password only if the victim uses Windows.
        I use another operating system instead of Windows on an usual computer,
        so I'm immune to the exploit: for a proof I clicked a link in such spam,
        but addresses in my yahoo webmail address book weren't spammed
        though I don't Sign Out of yahoo.
        I wasn't asked for any password, i.e. phishing isn't involved here.

        Perhaps the "second sign-in verification" was designed to prevent
        using of stolen passwords, but it's voluntary, not mandatory,
        and works only in 14 countries. The spammer uses Yahoo!7 Mobile
        (au.mobile.yahoo.com) for Signing In, I can't check myself alone
        whether "second sign-in verification" covers that way of Signing In too
        (because my country isn't among those 14).

        Currently, my only recommendations what to do in cases of
        such spam to a yahooGroup are:

        1) put the member on moderation forever
        (the member is likely to have the mailbox compromised again);

        2) post to the group that the member and everybody who clicked the
        link in the spam must change mailbox password.

        Usual advices are to use latest (and kept up-to-date) Firefox or Chrome
        instead of Internet Explorer,
        to keep browser plugins updated
        and to use a really good antivirus monitor (not just antivirus scanner).
        But passwords get stolen despite of that.
        In the case above browser plugins were up-to-date,
        but her password still was stolen.
        Strong (long, complicate, unique) passwords are useless
        (are stolen with drive-by exploits as easily as simpler passwords)
        and give false sense of security.

        The only sure cure is for group members to use any free operating system
        instead of Windows on the same computer, for example
        http://en.wikipedia.org/wiki/GhostBSD
        or http://en.wikipedia.org/wiki/Linux_mint
        (paradoxically, in this case free is safe, paid is dangerous),
        but don't hold your breath. :-(

        Lena
      • Henrique de Castro
        That is a great detective work, Lena. The subject is very interesting.   -- Henrique LonelySpooky Junior http://about.me/henriquejunior ... That is a great
        Message 3 of 4 , Feb 7, 2013
        • 0 Attachment
          That is a great detective work, Lena. The subject is very interesting.
           
          --
          Henrique "LonelySpooky" Junior
          http://about.me/henriquejunior


          From: "Lena@..." <Lena@...>
          To: Y-Mail@yahoogroups.com
          Sent: Wednesday, February 6, 2013 7:48 PM
          Subject: [Y-Mail] Re: Why Yahoo email accounts are being hijacked - Technology on NBCNews.com

           
          > http://www.nbcnews.com/technology/technolog/why-yahoo-email-accounts-are-being-hijacked-1B8219490

          I quote that article:

          > the malicious script steals the Yahoo session "cookies" from the browser
          > and hands them off to the miscreants, who then use the account
          > to pump out spam.

          Below I give a proof that this supposition is wrong.

          Here I'm talking about spam with usually nothing in Subject and
          just a link in body (sometimes with a few generic words added,
          possibly with a date or/and the genuine mailbox owner's signature).
          In the full header you can see that the spam was sent from a real
          user's mailbox using web-interface of usually yahooMail
          (sometimes AOL or Hotmail/MSN/live.com). For example:

          Received: from [69.171.163.162] by web122601.mail.ne1.yahoo.com via HTTP; Sun, 03 Feb 2013 17:01:45 PST

          In this example ".yahoo.com via HTTP" means that it's not spoofing,
          the spam really was sent via the mailbox specified in "From:".
          I can trace/analyse Received lines, they show that they weren't forged
          by the spammer.

          If you look up the IP-address from such line, it usually happens to be in
          some random country other than where the rightful mailbox owner is.
          The spam is sent to all addresses from the compromised mailbox's
          webmail interface's address book. The spammer could change the mailbox's
          password or set up Reply-To or vacation reply, but chose to not do so,
          perhaps in order to keep low profile.

          2 days ago I got proof that the spammer uses neither XSS nor Wi-Fi sniffing:
          the rightful mailbox owner (in Australia) copied for me
          "recent sign-in activity" in her Account Info:

          > 5:54 PM Browser Mail Access Australia
          > 12:01 PM Browser Mail Access PA,
          > 12:01 PM Yahoo!7 Mobile Logged In PA,
          > 12:01 PM Browser Mail Access IL,
          > 12:01 PM Yahoo!7 Mobile Logged In IL,
          > Yesterday 9:30 AM Browser Mail Access Australia

          The lines with "PA" and "IL" are spammer's access (using zombies in USA).
          The [69.171.163.162] in the example above corresponds with the Illinois here.
          Those lines contain "Logged In". That means that the spammer's software
          entered password, i.e. that the spammer stole password, not cookie.
          XSS exploits and traffic sniffers can steal login cookie
          but cannot steal passwords. Yahoo has protection against brute-force
          cracking (password guessing): try to enter wrong password several times
          in a row, your account will be locked for 24 hours.

          The Signing In process is conversion of password into cookie.
          I wrote software which Signs In to yahoo with a password, gets a login cookie
          and uses the cookie to access members-only Groups pages. The spammer's
          software also Signs In to yahoo, gets a login cookie and uses the cookie
          to access yahooMail pages to send the spam.
          An yahoo login cookie contains a hash and cannot be converted into password.
          If the spammer had a cookie, he'd not need to Sign In.
          But the spammer's software does in fact Sign In, as you see above.

          Therefore, her password was stolen with a drive-by exploit
          such as http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29
          or http://en.wikipedia.org/wiki/Blackhole_exploit_kit
          She said that she had up-to-date browser plugins.

          Such spam is epidemic: careless users click links in such spams,
          and their passwords get stolen too. Strong and unique passwords are stolen
          as easily as any others.

          The exploit can steal password only if the victim uses Windows.
          I use another operating system instead of Windows on an usual computer,
          so I'm immune to the exploit: for a proof I clicked a link in such spam,
          but addresses in my yahoo webmail address book weren't spammed
          though I don't Sign Out of yahoo.
          I wasn't asked for any password, i.e. phishing isn't involved here.

          Perhaps the "second sign-in verification" was designed to prevent
          using of stolen passwords, but it's voluntary, not mandatory,
          and works only in 14 countries. The spammer uses Yahoo!7 Mobile
          (au.mobile.yahoo.com) for Signing In, I can't check myself alone
          whether "second sign-in verification" covers that way of Signing In too
          (because my country isn't among those 14).

          Currently, my only recommendations what to do in cases of
          such spam to a yahooGroup are:

          1) put the member on moderation forever
          (the member is likely to have the mailbox compromised again);

          2) post to the group that the member and everybody who clicked the
          link in the spam must change mailbox password.

          Usual advices are to use latest (and kept up-to-date) Firefox or Chrome
          instead of Internet Explorer,
          to keep browser plugins updated
          and to use a really good antivirus monitor (not just antivirus scanner).
          But passwords get stolen despite of that.
          In the case above browser plugins were up-to-date,
          but her password still was stolen.
          Strong (long, complicate, unique) passwords are useless
          (are stolen with drive-by exploits as easily as simpler passwords)
          and give false sense of security.

          The only sure cure is for group members to use any free operating system
          instead of Windows on the same computer, for example
          http://en.wikipedia.org/wiki/GhostBSD
          or http://en.wikipedia.org/wiki/Linux_mint
          (paradoxically, in this case free is safe, paid is dangerous),
          but don't hold your breath. :-(

          Lena


        • adeomus ********
          wow, lena, this is terrific ! thank you ! adds Be who you are and say what you feel  because those who mind don t matter and those who matter don t mind. ~
          Message 4 of 4 , Feb 7, 2013
          • 0 Attachment

            wow, lena, this is terrific !
            thank you !
            adds

            Be who you are and say what you feel
             because those who mind don't matter
            and those who matter don't mind.
            ~ Dr. Seuss














            --- On Thu, 2/7/13, Henrique de Castro <henriquecsj@...> wrote:

            From: Henrique de Castro <henriquecsj@...>
            Subject: Re: [Y-Mail] Re: Why Yahoo email accounts are being hijacked - Technology on NBCNews.com
            To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
            Received: Thursday, February 7, 2013, 9:11 AM



            That is a great detective work, Lena. The subject is very interesting.
             
            --
            Henrique "LonelySpooky" Junior
            http://about.me/henriquejunior


            From: "Lena@..." <Lena@...>
            To: Y-Mail@yahoogroups.com
            Sent: Wednesday, February 6, 2013 7:48 PM
            Subject: [Y-Mail] Re: Why Yahoo email accounts are being hijacked - Technology on NBCNews.com

             
            > http://www.nbcnews.com/technology/technolog/why-yahoo-email-accounts-are-being-hijacked-1B8219490

            I quote that article:

            > the malicious script steals the Yahoo session "cookies" from the browser
            > and hands them off to the miscreants, who then use the account
            > to pump out spam.

            Below I give a proof that this supposition is wrong.

            Here I'm talking about spam with usually nothing in Subject and
            just a link in body (sometimes with a few generic words added,
            possibly with a date or/and the genuine mailbox owner's signature).
            In the full header you can see that the spam was sent from a real
            user's mailbox using web-interface of usually yahooMail
            (sometimes AOL or Hotmail/MSN/live.com). For example:

            Received: from [69.171.163.162] by web122601.mail.ne1.yahoo.com via HTTP; Sun, 03 Feb 2013 17:01:45 PST

            In this example ".yahoo.com via HTTP" means that it's not spoofing,
            the spam really was sent via the mailbox specified in "From:".
            I can trace/analyse Received lines, they show that they weren't forged
            by the spammer.

            If you look up the IP-address from such line, it usually happens to be in
            some random country other than where the rightful mailbox owner is.
            The spam is sent to all addresses from the compromised mailbox's
            webmail interface's address book. The spammer could change the mailbox's
            password or set up Reply-To or vacation reply, but chose to not do so,
            perhaps in order to keep low profile.

            2 days ago I got proof that the spammer uses neither XSS nor Wi-Fi sniffing:
            the rightful mailbox owner (in Australia) copied for me
            "recent sign-in activity" in her Account Info:

            > 5:54 PM Browser Mail Access Australia
            > 12:01 PM Browser Mail Access PA,
            > 12:01 PM Yahoo!7 Mobile Logged In PA,
            > 12:01 PM Browser Mail Access IL,
            > 12:01 PM Yahoo!7 Mobile Logged In IL,
            > Yesterday 9:30 AM Browser Mail Access Australia

            The lines with "PA" and "IL" are spammer's access (using zombies in USA).
            The [69.171.163.162] in the example above corresponds with the Illinois here.
            Those lines contain "Logged In". That means that the spammer's software
            entered password, i.e. that the spammer stole password, not cookie.
            XSS exploits and traffic sniffers can steal login cookie
            but cannot steal passwords. Yahoo has protection against brute-force
            cracking (password guessing): try to enter wrong password several times
            in a row, your account will be locked for 24 hours.

            The Signing In process is conversion of password into cookie.
            I wrote software which Signs In to yahoo with a password, gets a login cookie
            and uses the cookie to access members-only Groups pages. The spammer's
            software also Signs In to yahoo, gets a login cookie and uses the cookie
            to access yahooMail pages to send the spam.
            An yahoo login cookie contains a hash and cannot be converted into password.
            If the spammer had a cookie, he'd not need to Sign In.
            But the spammer's software does in fact Sign In, as you see above.

            Therefore, her password was stolen with a drive-by exploit
            such as http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29
            or http://en.wikipedia.org/wiki/Blackhole_exploit_kit
            She said that she had up-to-date browser plugins.

            Such spam is epidemic: careless users click links in such spams,
            and their passwords get stolen too. Strong and unique passwords are stolen
            as easily as any others.

            The exploit can steal password only if the victim uses Windows.
            I use another operating system instead of Windows on an usual computer,
            so I'm immune to the exploit: for a proof I clicked a link in such spam,
            but addresses in my yahoo webmail address book weren't spammed
            though I don't Sign Out of yahoo.
            I wasn't asked for any password, i.e. phishing isn't involved here.

            Perhaps the "second sign-in verification" was designed to prevent
            using of stolen passwords, but it's voluntary, not mandatory,
            and works only in 14 countries. The spammer uses Yahoo!7 Mobile
            (au.mobile.yahoo.com) for Signing In, I can't check myself alone
            whether "second sign-in verification" covers that way of Signing In too
            (because my country isn't among those 14).

            Currently, my only recommendations what to do in cases of
            such spam to a yahooGroup are:

            1) put the member on moderation forever
            (the member is likely to have the mailbox compromised again);

            2) post to the group that the member and everybody who clicked the
            link in the spam must change mailbox password.

            Usual advices are to use latest (and kept up-to-date) Firefox or Chrome
            instead of Internet Explorer,
            to keep browser plugins updated
            and to use a really good antivirus monitor (not just antivirus scanner).
            But passwords get stolen despite of that.
            In the case above browser plugins were up-to-date,
            but her password still was stolen.
            Strong (long, complicate, unique) passwords are useless
            (are stolen with drive-by exploits as easily as simpler passwords)
            and give false sense of security.

            The only sure cure is for group members to use any free operating system
            instead of Windows on the same computer, for example
            http://en.wikipedia.org/wiki/GhostBSD
            or http://en.wikipedia.org/wiki/Linux_mint
            (paradoxically, in this case free is safe, paid is dangerous),
            but don't hold your breath. :-(

            Lena




          Your message has been successfully submitted and would be delivered to recipients shortly.