Loading ...
Sorry, an error occurred while loading the content.

Re: [Y-Mail] Despite its efforts to fix vulnerabilities, Yahoos Mail users continue reporting hacking incidents - The Next Web

Expand Messages
  • lena_kiev
    ... Right. ... Right. ... Not cookie, but yahooID and password, not hashed. Then another piece of malware uses a bot in another victim s computer (in a random
    Message 1 of 25 , Jun 19, 2013
    • 0 Attachment
      > From: Chris J Brady <chrisjbrady@...>

      > The hackers of Yahoo accounts are not guys sitting at a PC keyboard
      > randomly typing in characters like the proverbial monkeys typing in
      > the complete works of Shakespeare. Neither is it a computer
      > generating random letter passwords and trying them until one fits.

      Right.

      > The vulnerability is that a user having clicked on an embedded URL
      > in an email is taken to a rogue webpage. Or maybe has not even
      > clicked on an embedded URL and in the course of surfing has
      > been taken to a rogue webpage. This has installed a virus (a
      > snippet of XML / Javascript / whatever / code) onto the user's PC.

      Right.

      > This is turn sends the the Yahoo cookie file containing the account
      > name and password to the hackers.

      Not cookie, but yahooID and password, not hashed.

      Then another piece of malware uses a bot in another victim's computer
      (in a random country) to give the yahooID and password to the
      m.yahoo.com website (for mobile devices) and get an yahoo cookie
      (containing a hash) in return. That leaves a line "Mobile Logged In"
      in first victim's "Recent sign-in activity" (linked from Account Info).
      Then (usually via the same bit, sometimes via another bot in another
      country, but in under a minute) it uses that cookie to access
      regular mail.yahoo.com website to harvest email address from
      letters in Sent and Inbox folder (and possibly Contacts too) and spam them.
      That leaves another line "Mail Access" in first victim's
      "Recent sign-in activity".

      I can't test myself because my country isn't in the list
      (yahoo cannot send me a SMS).
      Please somebody who "Set up your second sign-in verification"
      Sign Out, then on the m.yahoo.com/mail website sign in,
      preferably via another ISP.
      Does the m.yahoo.com website (used by the felon too)
      require to type something from SMS?

      > The virus script does two other things. Periodically - until removed

      Until the password is changed. The trojan which stole the password
      doesn't send the spam, it only phones home the stolen password.

      Another piece of malware does this:

      > it sends an email out - with a one line URL to another roge
      > website - to one, many, all contacts in the user's address book.

      Or/and addresses harvested from letters in Send and Inbox folders.

      > I have not found out how to remove the XML / Javascript / whatever
      > code that represent the virus. Perhaps someone here can say. Virus
      > protection apps will not detect it.

      The felon tests the drive-by exploit kit
      and (stealthy encrypted polymorphic) trojan it installs
      aganinst multiple antiviruses
      and makes sure that the exploit kit and trojan
      can evade or disable all the antiviruses.
      Antivirus vendors lost the war.

      > However I understand that one protection is to ALWAYS log out of a
      > Yahoo session after finishing which apparently then kills the cookie
      > containing the user's account and password.

      The trojan steals password, not cookie. So, to Sign Out is useless
      in this case.
    Your message has been successfully submitted and would be delivered to recipients shortly.