Kitz Forum
Computer Software => Security => Topic started by: sevenlayermuddle on April 25, 2013, 08:20:33 PM
-
This morning I logged into a rarely used yahoo account. Twenty minutes later, somebody from Georgia logged in and spammed all my contacts. It won't have done them much good as the only contacts were me and myself, at different addresses, but it was certainly hacked as can be seen from the 'recent logins' page.
Now... I like to get to the bottom of these things. Do I have to assume that machine I logged in from has been compromised? It was my Mac and, whilst OS/X is not immune to nasties, it is a smaller target than Microsoft and so probability is reduced.
Any opinions welcome.
7LM
-
With apologies for the monologue, I may have a partial explanation as to why the hack seemed to triggered by an actual login.
..Yahoo has only just started supporting SSL, and it's not on by default! >:(
See http://help.yahoo.com/kb/index?locale=en_US&y=PROD_MAIL_ML&page=content&id=SLN3610
However, SSL was already in use for the login page, so I still can't figure out how they got my password. One useful feature of Yahoo is the 'recent activity' page, which clearly show the hacker logging in from an IP in Georgia, so they clearly the did get that password. Which has now of course been changed, using a different browser in a different PC.
There's not an awful lot of choice when it comes to AV software for MAC, so I have downloaded a trial Kaspersky and will do a full scan overnight.
-
I cant comment on the o/s although there are keyloggers out there for Macs that could be introduced via malicious means.
I know that years ago, the most common reason for yahoo mail accounts being hacked was brute force (bots) on the password - paticularly so if your user name was something that could be in demand.
However, I find it strange that the attack was triggered shortly after your own log in... more so if its one that youve not logged in to for a while... to me this would imply some sort of phishing sceme.
Just to check, how did you login... was it via a bookmark... or via an email link?
-
Hmmm... on reflection it looks like your yahoo account has been hacked by this recent attack. The report is sketchy on details (probably for obvious reasons) but at a guess it would appear the fault lies with something on the yahoo servers.
I would have hoped that yahoo would have identified the compromised accounts and advised their users. Out of interest, once youd logged in to your mail, did you look at any emails that may have been a tad strange.
http://www.channel4.com/news/yahoos-email-system-hacked-by-criminal-spammers
-----------
Ive since seen a few reports that Mac users are being affected, and also that changing your password doesnt always help. Looks like yahoo mail may have a big problem atm :(
eg
http://uk.answers.yahoo.com/question/index?qid=20130316172423AAh2tfD
It would seem that yahoo says its plugged the leak, but according to the following it would appear not and users accounts are still being compromised :(
http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/?fromcat=all
This (to me) would seem to point to the fact that somewhere in your yahoo mailbox there was a corrupt mail just waiting to be opened.
-
Hi Kitz,
I'm also thinking it might be some kind of fishing or man in the middle. In fact I logged in by typing 'yahoo.co.uk' into the address bar. I have checked the browser history and there is no sign of any spelling mistakes.
That yahoo account is so rarely used that it hasn't even seen any spam, ever. I created it as a means to access a 'group' somebody set up as a notice board for former colleagues, but the only thing I use the mail for is to prove receipt when I make any changes to other accounts. Yesterday I tweaked a google apps account then posted a test message to yahoo, logged in and saw it was there, and that was that.
My Kaspersky scan on the Mac ran for many hours, but finished overnight with no nasties found. I don't really care about the Yahoo account, but a keylogger on the Mac would be devastating.
Can't help thinking my case does so seem to be so tightly defined and recorded, amid so many other similar hackings, as to point to the possibility that yahoo's servers may be nternally compromised, or some kind of DNS redirection took place. There is no obvious way of contacting them to tell them about it, but I guess they would probably already know, even if they didn't publicly admit it.
As an amusing aside... That Channel 4 article looked interesting, and he was inviting people affected to get in touch. I don't do twitter ( :) ) so I sent an email to channel 4's published 'news' email adress, which was promptly returned with an error saying their mailbox was 'over its quota'. :D
edit; removed and explicit email address that I probably oughtn't have quoted :-[
-
Incidentally, that Channel 4 story does seem to be spot on.
My hacker's IP address was reported as 'Georgia', not entirely unrelated in my mind (notwithstanding political differences and warfare, no offence intended :o) to what they said, 'Russian Federation'. And they logged in via Yahoo mobile, same as in the news story, and various other reports I've seen.
The single spam that was sent to all of my contacts was a badly mis spelled 'hello' as subject, and contained a fake story about some work from home scheme with a false hyperlink ( which of course I have not clicked), similar to that described.
-
Not just Geotgia I'd guess. A friend, user of BT Internet "sent" me and others a similar message.
A free analyser traced apparent source to Thailand.
BTW/OT Forgetttery allowed me to forget what I used! :o
-
Hmmm, another sinister sign...
When Composimg an email using my main mail interface, Thunderbird's IMAP, even though the mail was sent it has suddenly started asking for passwords that it should not need (it has it's own password manager). My hunch is that is likely to just be the new kaspersky putting a spanner in the works, but it could also be something horrible.
I have pulled the lan cable (and disable wi fi), and revoked the google apps passwords that were assigned to Thunderbird while I think what to do, but I fear a complete reinstall of OS/X is the only thing that'll let me sleep at night :(
edit: fix my garbled grammar
-
Hunch says it won't be OSX.
It's Yahoo that isn't fessing up to the cause of the problem. This is leaving everyone, including you, with headaches as to how it happened, with everyone blaming the security of their own PCs. Best guess is that Yahoo's servers have been hacked (again).
cheers, a
-
Hunch says it won't be OSX.
It's Yahoo that isn't fessing up to the cause of the problem. This is leaving everyone, including you, with headaches as to how it happened, with everyone blaming the security of their own PCs. Best guess is that Yahoo's servers have been hacked (again).
cheers, a
Totally agree with your hunch, but I don't want to take any chances at all, however remote they may be. That Mac is my iOS development machine which, if my Apps ever made any money (fat chance :D ) would be my pension.
I've pretty much decided on the re-install. If nothing else it'll satisfy a long-standing curiousity as to how much grief a new machine would entail. I'm doing a backup now of all the user data I think I'll need, let's see how much I overlook :'(
The most precious commodity - my source code - is actually held on a separate SVN server, and mail is online at google, so in theory it should be reconstructable even if I do screw up.
-
You're right. Wise move! There's no point taking the risk and just hoping for the best. Sounds like you have it all in order! I only use a Yahoo account for a Yahoo group/mailing list, and it's absolutely flooded with spam and various phishing scams! Something of a bad omen!
cheers, a
-
Hunch says it won't be OSX.
It's Yahoo that isn't fessing up to the cause of the problem. This is leaving everyone, including you, with headaches as to how it happened, with everyone blaming the security of their own PCs. Best guess is that Yahoo's servers have been hacked (again).
cheers, a
I would wholeheartedly agree.
-
I don't know what's going on but several of my customers have had problems with Yahoo in recent days.
The worst was a new (well recent, live for some weeks now) BT internet customer whose email account was just not set up by Yahoo.
It took over an hour on the phone by me (they're in their 80's) to sort out a new email account and link it to their BT account; the one allocated and notified to them by BT never was set up. No explanation, no apology, no compensation. >:D
-
Pondering these events during a long soak in the bath, another factor crystalised.
Many of the news stories talked of how this hacker deleted the contacts list after the attack. That did not happen in my case; when I logged in to investigate about 7 hours after the hack, the first thing I did was to check my contacts to see if it had changed. It hadn't, just four different addresses for myself, as expected.
But another few hours later, the prophecy was fulfilled, my contacts list was empty.
One possible explanation for this would be that Yahoo are actively monitoring for evidence of this hacker and, after they detect his/her exploits, they themselves may be actively deleting users' contact lists to thwart any repeated spam releases. That would be significant, as it would imply Yahoo are more aware of the whole issue, and more troubled by it, than has been apparent in most of their press releases. :hmm:
-
>>> they themselves may be actively deleting users' contact lists to thwart any repeated spam releases
I dont think that they would do that... especially since this is part of the original exploit anyhow. :no:
I really do think Yahoo has a much more serious problem than they care to admit. Last nite when I was googling, I came across the actual source code that the hacker had written, it was late and I didnt pursue any further, aside from a quick scan. As mentioned I didnt look properly, but I wouldnt be surprised if somehow the session data was being compromised. This could also explain why the contacts disappeared later... ie when the session expired... it is about the only way I can think of as to how the hacker is so freely and easily getting so many passwords.
When you look at the report that came with the source, the hacker said something about how an earlier XSS exploit from a previous year had been patched.. but not properly... which allowed him to tweak his code and still gain access. I suspect that Yahoo may have either been lazy again with a patch, or their servers are seriously compromised. (possibly both!).
Looking around the net, there does seem to be a wave of new users reporting this same problem now in April :(
-
This could also explain why the contacts disappeared later... ie when the session expired...
Getting out of my knowledge and 'comfort zone' on this one, but it is possible that the contacts disapeared about the time I changed the password. I guess that password change might have forcibly expired the session?
-
>>> I guess that password change might have forcibly expired the session?
Very likely -depends just on what is stored in the Yahoo session cookie.
Session cookies will always expire when the browser page is closed.
Take for eg the adslchecker, I use session cookies for that as it (temp) stores the postcode/phone no. As soon as new information is input or the page is closed then none of the previous information is remembered. I choose not to store any of this personal info on my server, but obviously Yahoo will also store login info on their server too.
Depending on the type of XSS attack, then I suppose its not impossible to also pick up new login details too.. I dont know enough about it to say for sure one way or the other.
What I saw of the code last nite I would imagine its one of the DOM-based vulnerabilities (https://en.wikipedia.org/wiki/Cross-site_scripting#Traditional_versus_DOM-based_vulnerabilities) - most likely non-persistent.
Once this info has been reaped, then stage 2 will kick in and send out the spam mails and delete contacts.. (or whatever the hacker wants to use your Yahoo account for), this part of the automated script is hosted elsewhere (probably proxies involved? )... which is why the login shows as coming from a different location than your own.
-
I don't know if it is relevant, but I continue to strongly contest the idea that I may have clicked on any link embedded in my yahoo email. It's not just that I consider myself too savy, we'd all say that, it is that there was absolutely nothing there other than the test message I'd just sent myself from google. That Yahoo address is so rarely used that it hasn't even seen any spam, ever.
It is theoretically possible that, in a senior moment, I may have opened a dodgy email in my google mail while the yahoo page was open, but that is still extremely unlikely. I have double checked all recent emails in my google inbox, and all were legitimate.
If I was duped into visiting another website, I think it must have been by some other means than an email link.
-
>> I continue to strongly contest the idea that I may have clicked on any link embedded in my yahoo email
You are not alone in that - other people have also reported the same.
-----
Ive just tracked down the code again. Yes it is a DOM based XSS attack, which is taking its information from the session cookie.
The authors comments are interesting about the Yahoo library being vulnerable (http://abysssec.com/files/Yahoo!_DOMSDAY.pdf#page=7&zoom=100,69,720), as you will see as you read through the document, Yahoo keep applying patches thinking theyve fixed it , but further exploits continue to be found within other parts of the Yahoo library.
Something to note that in step III - Exploiting the vulnerability (http://abysssec.com/files/Yahoo!_DOMSDAY.pdf#page=8&zoom=100,69,720) that although Abyssec's code specifically shows a click being required, there is mention of a method of triggering the exploit "without even [requiring] a click" by the user.
The more recent hack attempts will likely be based on his code, but with a few tweaks. What concerns me and what I dont know enough about is his reference to adspecs.yahoo.com. His code is showing the opening of a new window to adspecs which is where the info is being stolen from.
Could new and more sophisticated code be implemented which shows an ad from a bad source and doesnt require user interaction. Im really out of my depth now and know stuff all about adspecs, but what if one of the third party advertisers (http://adspecs.yahoo.com/thirdparty.php) adverts contained rogue code.
The above is certainly not beyond the realms of possibility because Zynga had a hack attempt about 3 yrs ago that came via a rogue advertiser XSS script. Most of those attempts were caught because of browser cross frame scripting. But adspecs uses the same TLD, and the Abyssec code specifically mentions the avoidance of this problem.
If ads are rotated or targeted, it wouldnt catch all users, but surely it would still net quite a few accounts!
Is someone is clever enough to piece everything together and write the code for it? Yahoo's history of security seems to be 'close the stable door after the horse has bolted' and only patch holes rather than plug them beforehand. Their attitude seems to be denial that it happened rather than checking for more open doors. :(
-
That's fascinating, thanks for digging it up. I can't pretend I understand all of it, way out of my league, but I'll read it a few times more and see if comprehension breaks through.
It's actually only second time I ever experienced an attack at first hand, so I was interested to know how it was done. The other time was when a window system got infected with one of those fake AV progs. I installed KAV which found & fixed it, but I felt quite smug that it found abosulutely nothing else amiss despite having run Windows for many years without any AV at all. I do of course insist on an AV nowadays for windows, and might even put one on the MAC now, though I guess it may not have helped this time.
I'm thinking it's a pity I had the Safari browser configured to keep history for just a day, so it has now evaporated. Otherwise I'd be stepping through the history page by page in a text editor around the time it happened, looking for clues about every websites that got visited.
I reduced the history size because, for reasons that I'll never accept as being reasonable ??? , OS/X Safari is well known to be quite a CPU hog, you can often hear the disk heads thrashing mercilessly whenever the browser is open. Rumours are its chewing over its history trying to 'optimise' something, so I like to keep it short. But that's off topic, thanks again for the comments.
-
Couple of threads popped up regarding Yahoo hacking on Digital Spy forums :
http://forums.digitalspy.co.uk/showthread.php?t=1820548
http://forums.digitalspy.co.uk/showthread.php?t=1821777
So it seems it's still going on!
Ian
-
Couple of threads popped up regarding Yahoo hacking on Digital Spy forums :
http://forums.digitalspy.co.uk/showthread.php?t=1820548
http://forums.digitalspy.co.uk/showthread.php?t=1821777
So it seems it's still going on!
Ian
Fascinating.
For anybody else affected, I'd mention the following...
...First thing to do is just login, then navigate to the 'recent logins' page. If you see, in among all the local UK logins, one from (say) Georgia, then it is fair to assume the account was hacked. You can also check your 'sent' folder, but the hacker can easily delete things they have sent.
You should probably certainly change the password, but if an XSS attack was involved then (kitz may correct me on this), then the same hack will work just as well with your new password, so don't stop worrying about it just because you have a new password. Continue to be extra careful about opening dodgy-looking emails or, worse, clicking on links within them.
Have to say I'm much happier with Google's security, in particular the two step verification process, which I think would probably prevent the same scenario if anybody ever found a similar XSS attack method on google.
-
It does indeed seem like there is a new wave of this, and based on the fact that so many of the more recent attacks have claims that they havent clicked on links, then its not beyond the realms that someone has found another exploit in the yahoo library and has been 'clever' enough to use it without requiring a click. Although Abyssec's original code required a user click, there is clear mention that a non-click method is also possible.
>> but if an XSS attack was involved then (kitz may correct me on this), then the same hack will work just as well with your new password,
Im honestly not sure. Because it uses session cookies, if you delete all suspect mail, close the browser and then change the password you should be ok.
However what is not clear is just how passwords are being reaped... it would only take another 'bad mail' to trigger the process again.. OR... if it is somehow coming via a rogue 3rd party adspecs.yahoo.com advertiser script then it could be triggered each time you open your mail.
Put it this way, Im not opening my (mostly dormant) yahoo account to check my own account until I know for sure that Yahoo have sorted their act out.
It also concerns me that sky have recently moved over to using Yahoo mail, so we could also possibly be seeing a new wave of complaints come from there.
Id recommend that sky users (or BTYahoo) use POP3 and download mail to their PC rather than use the webmail service. Its not total security, but at least youre not going to be using a session cookie, and your email client should hopefully have more chance of catching any nasty script attachments.
--------
I should mention that (normally) session cookies are not bad.. most of the Internet wouldnt work without them. The problem here seems to be that Yahoo has a massive library of its own scripts which are possibly very much out of date and exploitable.
Most modern browsers would normally pick up XSS type of attacks (like they did with the Zynga attempt - because the XSS came from a different domain name). - Unlike the Yahoo hack were it appears to be using http://adspecs.yahoo.com/ and all the scripts (mail included) share the yahoo.com domain and yahoo libraries.
Finally I should also state that Im no expert on this subject and Im only surmising from what information I know from what little Ive done in session cookies and a morbid curiosity in wanting to know how trojans/hacks etc work during my dissertation days. Im not clever enough to actual write something like this... so Im happy to be corrected if anyone has more info.
-
Where is the activity login page? I have checked my account and can't find it.
Thanks
gom
Click on your name, 'hello gom' or whatever, pull down 'account info'. It'll probably ask for your password again.
On the next page, in the left column of second pane, you'll see 'View your recent sign-in activity'
That produces a list of recent signin locations. You can also click on the box at the top of that column and change 'location' to IP address.
In my case the locaton was stated as 'Georgia' but by the time I found the IP address facility, I'd logged in too many times and it had dropped off the end of the log. But the IP address in the header of the emails sent by the hacker was in the range 31.146.92.something . That is a 'silknet' IP, silknet being Georgia's national telecomms carrier, consistent with the hacker being Georgia-based.
Note I have not published the full IP, and I don't think we should do so. That may turn out to be unfair if silknet use dynamic IPs in which case the offending IP may by now be reassigned to an innocent by-stander. If anybody wants to know the '.something' then PM me and I'll tell you.
-
They're obviously doing something to try to mitigate this. I logged into a rarely-used Yahoo (and then normally POP/SMTP) account via webmail from a place I was visiting the other day.
I got asked additional security information AND an email was sent to the "backup" account to warn of the login.
-
They're obviously doing something to try to mitigate this. I logged into a rarely-used Yahoo (and then normally POP/SMTP) account via webmail from a place I was visiting the other day.
I got asked additional security information AND an email was sent to the "backup" account to warn of the login.
Sounds like they've identified you as a dodgy character, HP. And who are we to question them? :angel:
Seriously, that's interesting. I'll be visiting my father's flat next week, I must remember to login again from his IP and see if that happens to me too.
-
This is getting beyond a joke. I have another Yahoo account which I'd used only once. I logged into it when I started this thread to check the log and see it might have been hacked too, it hadn't.
But I just checked again and moments after I'd checked it first time, came what appears to be another hack, from a 'NY US' location. That's two out of two accounts both hacked. Plus Geep's and Chrissie's. This time I received no spam. The only evidence was the in logfile, which would go unnoticed by the majority of people. I really wonder now how big this thing might have become? :o :o
Pattern was similar; A minute after my own login came another, then a second. This time both logins were 'browser' logins, whereas before, the first one was 'mobile'.
Much more interesting, by selecting IP address instead of 'location', I can see that the hacker came from two different IPs.. 66.196.116., then immediately afterwards, 63.250.196.xxx
From whois....
The first of these is assigned to 'Inktomi Corporation', which I think is now owned by Yahoo Inc
The second is assigned to 'Yahoo! Broadcast Services, Inc'
Make of that what you will.
PS: More digging I need to amend all of above.
When I logged in this morning, I had to 'reactivate the account', being told that it may have been closed through lack of use. That didn't surprise me and anyway, it seems closed accounts can be reactivated just by logging ion. But on further experimentation, if I manually close the account then reactivate it, I ALWAYS see an immediate login from another 63.250.196.124, I guess it's just a Yahoo server doing what I asked it to do. Maybe I asked for it to be closed a few weeks ago too, and forgot. So maybe that second account wasn't hacked as such. :-[
But I am not sure whether or not to be alarmed by the fact that Yahoo admin activity shows up as a normal browser login (from a Yahoo IP) in the 'recent logins', the instant I hit the 'delete' button. Can't help thinking that might be significant.
-
Yes this is a thread that’s been dormant for four years.
But interesting all the same. Seems it wasn’t just me affected or just people with (say) names beginning with 7, it was absolutely everybody. :o
http://www.bbc.co.uk/news/business-41493494