Why Yahoo Mail Accounts Are Being Hijacked

By Paul Wagenseil | LiveScience.com – 12 hrs ago

A festering flaw left unpatched on Yahoo's website may be the reason you've been getting an unusual amount of spam from friends' accounts lately.
The complicated, crafty process takes several steps, but works almost instantly. It ends up with bad guys in Eastern Europe nabbing Yahoo Mail accounts.
As detailed by Romanian security firm Bitdefender, it begins when a computer user gets an email or tweet with a link, sometimes shortened, to what seems to be a story on MSNBC.com or NBCNews.com offering job-hunting tips. (TechNewsDaily has professional relationships with MSNBC.com and NBCNews.com.)
A quick glance at the phony page is enough for the user's browser to be silently hit with hidden JavaScript, which in turn reaches out to a Yahoo page created especially for developers.
The Yahoo developers' page, created by WordPress, contains a software flaw that lets the bad guys' malicious script check the user's browser to see whether he or she is currently logged into a Yahoo account.
If so, then the malicious script steals the Yahoo session "cookies" from the browser and hands them off to the miscreants, who then use the account to pump out spam.
(The bad guys don't appear to be changing user passwords. But if your account gets hijacked, change your password immediately and then log off.)
The spam includes email messages meant to snare the passwords of even more Yahoo Mail users, starting the entire cycle again.
In a statement yesterday (Jan. 31), Yahoo said it had "learned of a vulnerability from an external security firm" and fixed the flaw.
One, two, three, four
Let's check off the common deceptions combined in this attack:
— A shortened URL, which can fool many people into going someplace they shouldn't. Unfortunately, shortened URLs are unavoidable these days, but one should be especially wary when they come embedded in an unsolicited email.
— A webpage which mimics the look of a commonly visited site and even tries to mimic the real URL. In the case cited by Bitdefender, the site's URL was at www.msnbc.msn.com-im9.net.
Bitdefender found that the com-im9.net domain name was registered in the Ukraine last Sunday (Jan. 27) and is hosted in Cyprus. Bad sign.
Emails received by this reporter included unshortened links to a similar domain name.
— Hidden webpage code which triggers a drive-by download. Malicious code is found on plenty of "real" webpages as well, and is especially a problem with third-party ads that site administrators have little control over.
— A flaw in WordPress, the frequently attacked blogging platform. The non-profit company that makes WordPress software is constantly updating it to stay ahead of hackers, but many WordPress users don't bother to apply updates.
Who's to blame?
Ultimately, this is Yahoo's fault. The company should have kept up on the latest WordPress updates, especially when using WordPress to host a forum for software developers.
The specific vulnerability that let these latest account hijacks happen was patched by WordPress in April 2012, nearly nine months ago.
Yahoo's had a rough patch lately in terms of user security. In June, 450,000 unencrypted usernames and passwords were stolen from a Yahoo subdomain.
In November, a cookie-stealing exploit for Yahoo, apparently unrelated to this latest one, appeared in hacker forums. It was still in action in early January.
The company recently gave users the option to enable full-time HTTPS, or secure communications, with the Yahoo site. In December 2011, it offered two-step verification, which texts a code to the user's mobile phone when a login attempt is made from an unfamiliar computer.
Unfortunately, neither of those features prevents cookie-stealing. Once a user's logged into Yahoo, he's logged into all Yahoo sites. (Google works the same way.)
The way to avoid cookie-stealing is to always log out of Yahoo Mail (and any other online account) when you're done using it. That ends your session and renders the session cookies useless.
Users should also routinely check the URLs of websites to make sure the sites are what they're supposed to be. If you land on a fake one, you'll be lucky if all it does is advertise a weight-loss cream.

Interesting to finally get some info on this plague. Thanks. Help me out: they get into "developers'" pages, which would suggest they can only steal their contacts. Did I miss something about these developers having access to other Yahoo subscribers; that part of the article was really unclear. WordPress developers, hosting forums for software developers, would have perhaps contacts for those developers, but those developers are not us.

Also, I'm quite curious about "Once a user's logged into Yahoo, he's logged into all Yahoo sites. (Google works the same way.)"

Log in to Yahoo mail ... and then try Yahoo Finance or a Yahoo Group. They will all know you ... just like Google

Ah, I see. Very misleading. I would only be logged into Yahoo sites I've joined, though, no?

Again, it is our old friend JAVA that allows them in. Safest thing you can do is uninstall it from your computer.

The trouble is Java came up with a fix, but according to the tech journals, their fix didn't block access to all of the back doors.

That's correct Pete.

Java is a water bucket with a dozen holes in it. They put a cork in one of the holes but water is still pouring out of the other 11.

And so is flash, and until HTML5 is everywhere, we really heavily on both Java and Flash for most of our Internet A/V.

sparks wrote:Log in to Yahoo mail ... and then try Yahoo Finance or a Yahoo Group. They will all know you ... just like Google

I get daily digests of several Yahoo groups via my non-Yahoo email service. I do not need to be logged into my Yahoo account to recieve the daily digests. Do I have the same vulnerability as if I were receiving them via Yahoo mail?

George

No; they have you on a qualified list of mailing members.

I absolutely despise Yahoo after getting jerked around by them over a Flickr account! I do subscribe to a Michoacan Yahoo message board but I never sign on and participate. I get the daily listing of messages and have spotted numerous hack type messages posted to the board with links that are designed to cause trouble. Not this kid!

You can still get the "Hey check this out" links to places you shouldn't go ... and the real user saying they didn't send that shortly after. Happens a lot lately

Sparks, you are absolutely correct. Over the last couple of years, the virus writers modis oppurandi has been to hack into an e-mail account, send e-mails to everyone in the contact list with a link to click on in the body of the e-mail.

So, you get an e-mail from, let's say your brother (it will always be someone YOU KNOW). You may have a subject line in the heading or maybe not. In the body may be a message (sometimes no message) and a link for you to click on. You click on the link and there is NO antivirus software that can help you. They now have control of your computer and e-mail and they start the process all over. I had one customer last month that had $10,000 taken from her bank account. This is scary stuff

Fixin_Dixon

Speaking about hacked emails, another friend got that same email about medication ( under medication warning) that I did, from the same person. I called the original alleged sender, she was very shocked that her email had been hacked. No way she had sent it to either of us.

I'll cut and paste the whole thing here for anyone who didn't see it.

Aww forget it, just don't open anything if the sender hasn't sent you a personal note so you know it's them first.

I got another one of those hey check this out ones, hit the delete button.