Loading ...
Sorry, an error occurred while loading the content.

Re: [Y-Mail] Re: Why Yahoo email accounts are being hijacked - Technology on NBCNews.com

Expand Messages
  • adeomus ********
    wow, lena, this is terrific ! thank you ! adds Be who you are and say what you feel  because those who mind don t matter and those who matter don t mind. ~
    Message 1 of 4 , Feb 7, 2013

      wow, lena, this is terrific !
      thank you !

      Be who you are and say what you feel
       because those who mind don't matter
      and those who matter don't mind.
      ~ Dr. Seuss

      --- On Thu, 2/7/13, Henrique de Castro <henriquecsj@...> wrote:

      From: Henrique de Castro <henriquecsj@...>
      Subject: Re: [Y-Mail] Re: Why Yahoo email accounts are being hijacked - Technology on NBCNews.com
      To: "Y-Mail@yahoogroups.com" <Y-Mail@yahoogroups.com>
      Received: Thursday, February 7, 2013, 9:11 AM

      That is a great detective work, Lena. The subject is very interesting.
      Henrique "LonelySpooky" Junior

      From: "Lena@..." <Lena@...>
      To: Y-Mail@yahoogroups.com
      Sent: Wednesday, February 6, 2013 7:48 PM
      Subject: [Y-Mail] Re: Why Yahoo email accounts are being hijacked - Technology on NBCNews.com

      > http://www.nbcnews.com/technology/technolog/why-yahoo-email-accounts-are-being-hijacked-1B8219490

      I quote that article:

      > the malicious script steals the Yahoo session "cookies" from the browser
      > and hands them off to the miscreants, who then use the account
      > to pump out spam.

      Below I give a proof that this supposition is wrong.

      Here I'm talking about spam with usually nothing in Subject and
      just a link in body (sometimes with a few generic words added,
      possibly with a date or/and the genuine mailbox owner's signature).
      In the full header you can see that the spam was sent from a real
      user's mailbox using web-interface of usually yahooMail
      (sometimes AOL or Hotmail/MSN/live.com). For example:

      Received: from [] by web122601.mail.ne1.yahoo.com via HTTP; Sun, 03 Feb 2013 17:01:45 PST

      In this example ".yahoo.com via HTTP" means that it's not spoofing,
      the spam really was sent via the mailbox specified in "From:".
      I can trace/analyse Received lines, they show that they weren't forged
      by the spammer.

      If you look up the IP-address from such line, it usually happens to be in
      some random country other than where the rightful mailbox owner is.
      The spam is sent to all addresses from the compromised mailbox's
      webmail interface's address book. The spammer could change the mailbox's
      password or set up Reply-To or vacation reply, but chose to not do so,
      perhaps in order to keep low profile.

      2 days ago I got proof that the spammer uses neither XSS nor Wi-Fi sniffing:
      the rightful mailbox owner (in Australia) copied for me
      "recent sign-in activity" in her Account Info:

      > 5:54 PM Browser Mail Access Australia
      > 12:01 PM Browser Mail Access PA,
      > 12:01 PM Yahoo!7 Mobile Logged In PA,
      > 12:01 PM Browser Mail Access IL,
      > 12:01 PM Yahoo!7 Mobile Logged In IL,
      > Yesterday 9:30 AM Browser Mail Access Australia

      The lines with "PA" and "IL" are spammer's access (using zombies in USA).
      The [] in the example above corresponds with the Illinois here.
      Those lines contain "Logged In". That means that the spammer's software
      entered password, i.e. that the spammer stole password, not cookie.
      XSS exploits and traffic sniffers can steal login cookie
      but cannot steal passwords. Yahoo has protection against brute-force
      cracking (password guessing): try to enter wrong password several times
      in a row, your account will be locked for 24 hours.

      The Signing In process is conversion of password into cookie.
      I wrote software which Signs In to yahoo with a password, gets a login cookie
      and uses the cookie to access members-only Groups pages. The spammer's
      software also Signs In to yahoo, gets a login cookie and uses the cookie
      to access yahooMail pages to send the spam.
      An yahoo login cookie contains a hash and cannot be converted into password.
      If the spammer had a cookie, he'd not need to Sign In.
      But the spammer's software does in fact Sign In, as you see above.

      Therefore, her password was stolen with a drive-by exploit
      such as http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29
      or http://en.wikipedia.org/wiki/Blackhole_exploit_kit
      She said that she had up-to-date browser plugins.

      Such spam is epidemic: careless users click links in such spams,
      and their passwords get stolen too. Strong and unique passwords are stolen
      as easily as any others.

      The exploit can steal password only if the victim uses Windows.
      I use another operating system instead of Windows on an usual computer,
      so I'm immune to the exploit: for a proof I clicked a link in such spam,
      but addresses in my yahoo webmail address book weren't spammed
      though I don't Sign Out of yahoo.
      I wasn't asked for any password, i.e. phishing isn't involved here.

      Perhaps the "second sign-in verification" was designed to prevent
      using of stolen passwords, but it's voluntary, not mandatory,
      and works only in 14 countries. The spammer uses Yahoo!7 Mobile
      (au.mobile.yahoo.com) for Signing In, I can't check myself alone
      whether "second sign-in verification" covers that way of Signing In too
      (because my country isn't among those 14).

      Currently, my only recommendations what to do in cases of
      such spam to a yahooGroup are:

      1) put the member on moderation forever
      (the member is likely to have the mailbox compromised again);

      2) post to the group that the member and everybody who clicked the
      link in the spam must change mailbox password.

      Usual advices are to use latest (and kept up-to-date) Firefox or Chrome
      instead of Internet Explorer,
      to keep browser plugins updated
      and to use a really good antivirus monitor (not just antivirus scanner).
      But passwords get stolen despite of that.
      In the case above browser plugins were up-to-date,
      but her password still was stolen.
      Strong (long, complicate, unique) passwords are useless
      (are stolen with drive-by exploits as easily as simpler passwords)
      and give false sense of security.

      The only sure cure is for group members to use any free operating system
      instead of Windows on the same computer, for example
      or http://en.wikipedia.org/wiki/Linux_mint
      (paradoxically, in this case free is safe, paid is dangerous),
      but don't hold your breath. :-(


    Your message has been successfully submitted and would be delivered to recipients shortly.