Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked Yahoo Mail account address book


  • Please log in to reply
2 replies to this topic

#1 Shihmin

Shihmin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 December 2012 - 05:03 PM

Spam emails were being sent to the contacts in my Yahoo contact list from my email account. I think this was done by me mistakenly clicked a link ‘msn.msnbc.com-…/jobs’ from my friend's email as all the spam emails sent by my yahoo account had similar link.

My PC does have the most updated version of Norton Premier edition and the scan returned with no virus detected. Your assistance in providing the instructions to diagnostic and remove this virus or malware would be greatly appreciated.

Regards,

Shihmin Peng

BC AdBot (Login to Remove)

 


#2 Laughing Bird

Laughing Bird

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 25 December 2012 - 03:02 PM

On 12/20, I received an email from a co-worker with my first name in the subject, and the body that read, "hi Joe check this out http:// msn . msnbc . msnbc-news5 . com / jobs /" (spaced added to prevent recurrence). I had not heard from this person in a long time, so it was unusual to get this from them out of the blue. Second clue was the brevity of the email. I suspected it was spam so I inspected the link and mistakenly identified the domain as msnbc, a legitimate website. However, the real domain is the first string before the top level domain, ".com", and that is "msnbc-news5". Anyone could have registered that. I hovered my mouse over the link and checked the actual link in the browser frame to make sure that the link wasn't masked, and it was not. I then thought, I have the latest Chrome and McAfee SiteAdvisor, if there is malicious software, they will protect me, and I clicked the link. The destination website was a work from home scam, I thought it was not legitimate after all and immediately closed that browser tab. Without my knowledge the cross site script (XSS) started running, and from this point on my browser was sending 7 emails a minute to everyone in my contact list. This went on for 30 minutes. It was possibly shutdown when Yahoo started demanding human verification on each email. Or it may have been when I started receiving Failure Notices in my inbox as the script sent emails to bad email addresses. I checked my sent folder and was extremely alarmed. I held the power button on my computer for 5 seconds to force a power supply hard shutdown. I switched to a different computer and confirmed that the emails had stopped. I began notifying everyone who had received an email from me about the malicious email. Yahoo email will not allow you to send a message to everyone in your contact list, so I had to send 209 emails individually as quickly as possible. Once all email recipients were notified, I started researching the damage. I found other victim's reporting the scam and asking for help dating back to November 12, 2012. Yahoo knows about the issue and is silent. The question appears in Yahoo Answers, they provide no response. The day after the attack, I booted my computer into safe mode with networking by pressing the F8 key during startup. I ran McAfee virus scan, Trend Micro, Norton, and Windows Defender and nothing was found (Norton reports cookies as possibly harmful because they are used for tracking to present targeted ads, and the information in them may be used against you by a XSS). I found no evidence that the hard drive of my computer was altered in any way. The motive appears to be to get people to sign up for the work from home scam. The way I suspect it works is that somewhere on the fake MSNBC website there is a call to a Yahoo database into which the hacker has placed an XSS. It executes, reads the Yahoo cookie that contains your email session credentials (Yahoo needs this to function) and uses these to impersonate you to Yahoo's servers composing and sending new emails. It doesn't get your Yahoo password, but I changed mine anyway. I contacted McAfee to find out why my up to date SiteAdvisor didn't prevent the display of a website that has been known to be malicious for over a month. It turns out SiteAdvisor integrates into Chrome to display threat ratings next to search results. It doesn't prevent you from visiting a harmful website.

#3 Shihmin

Shihmin
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 26 December 2012 - 09:15 PM

Thanks for the detail description of this issue. I was worry about virus embedded in my PC awaiting for another attack in the future. My case is a little bit different as the spam emails were sent out two hours after I logged off (I might shutdown my PC as well). I only learned about this in the morning when I found out lots of failure delivery notice. So I suspect that this site did manage to copy the session cookie information and was able to playback in a later time.
I did change my Yahoo password after I completed the full anti-virus scan. I hope this would be the end of this nightmare.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users