Posted 25 December 2012 - 03:02 PM
On 12/20, I received an email from a co-worker with my first name in the subject, and the body that read, "hi Joe check this out http:// msn . msnbc . msnbc-news5 . com / jobs /" (spaced added to prevent recurrence). I had not heard from this person in a long time, so it was unusual to get this from them out of the blue. Second clue was the brevity of the email. I suspected it was spam so I inspected the link and mistakenly identified the domain as msnbc, a legitimate website. However, the real domain is the first string before the top level domain, ".com", and that is "msnbc-news5". Anyone could have registered that. I hovered my mouse over the link and checked the actual link in the browser frame to make sure that the link wasn't masked, and it was not. I then thought, I have the latest Chrome and McAfee SiteAdvisor, if there is malicious software, they will protect me, and I clicked the link. The destination website was a work from home scam, I thought it was not legitimate after all and immediately closed that browser tab. Without my knowledge the cross site script (XSS) started running, and from this point on my browser was sending 7 emails a minute to everyone in my contact list. This went on for 30 minutes. It was possibly shutdown when Yahoo started demanding human verification on each email. Or it may have been when I started receiving Failure Notices in my inbox as the script sent emails to bad email addresses. I checked my sent folder and was extremely alarmed. I held the power button on my computer for 5 seconds to force a power supply hard shutdown. I switched to a different computer and confirmed that the emails had stopped. I began notifying everyone who had received an email from me about the malicious email. Yahoo email will not allow you to send a message to everyone in your contact list, so I had to send 209 emails individually as quickly as possible. Once all email recipients were notified, I started researching the damage. I found other victim's reporting the scam and asking for help dating back to November 12, 2012. Yahoo knows about the issue and is silent. The question appears in Yahoo Answers, they provide no response. The day after the attack, I booted my computer into safe mode with networking by pressing the F8 key during startup. I ran McAfee virus scan, Trend Micro, Norton, and Windows Defender and nothing was found (Norton reports cookies as possibly harmful because they are used for tracking to present targeted ads, and the information in them may be used against you by a XSS). I found no evidence that the hard drive of my computer was altered in any way. The motive appears to be to get people to sign up for the work from home scam. The way I suspect it works is that somewhere on the fake MSNBC website there is a call to a Yahoo database into which the hacker has placed an XSS. It executes, reads the Yahoo cookie that contains your email session credentials (Yahoo needs this to function) and uses these to impersonate you to Yahoo's servers composing and sending new emails. It doesn't get your Yahoo password, but I changed mine anyway. I contacted McAfee to find out why my up to date SiteAdvisor didn't prevent the display of a website that has been known to be malicious for over a month. It turns out SiteAdvisor integrates into Chrome to display threat ratings next to search results. It doesn't prevent you from visiting a harmful website.