4

I got an email (referring to me by name) from somebody I knew a while ago and the email itself was just two/three lines containing a bit-ly link. Although it seemed like it actually could be legitimate I didn't click the link but copied and pasted it into my browser in a new tab. It took me to a fake MSNBC site with a stupid article without getting any warnings from my Kaspersky suite. So I deleted the email.

Then eight hours later, I see that similar emails were sent from my email account to everyone on my contact list. These email were actually in my sent folder and people had replied back.

I don't think my (yahoo) account was actually hijacked because I could still log-in and of course ASAP I upped all security options and changed to a much harder password. Now several day later, I haven't seen any other suspicious activity on my account. Everything seems normal again.

My questions is how did this work? Was the fake MSNBC page doing something like running a script? But then how did it get into my yahoo contact list and read off all of the addresses and first names and composed emails and sent them out?

EDIT #1: And just to add, I also checked recent activity log at yahoo, as soon as I discovered the attack and the times and places it showed are all consistent with my usage, like I was logged in at the time and it shows my physical location too. I have an antivirus/firewall solution which is continuously updated. I have a wireless router with fairly strong security settings on it (not using the defaults or anything), with (medium strength) wireless password, MAC filtering and WPA-WPA2 encryption.

EDIT #2: Here is the bitly link http://bit.ly/VVqekC.

Update: The bitly-link was disabled. The website, which hosted the CSRF exploit on Yahoo Webmail, was shut down.

Edit #3: Thanks for the answers everyone. Makes sense. But I still have two questions. Is there any further danger because of this specific attack? Could any information been compromised like any of my emails in my inbox or sent folder or my old password? I did change my password and cleared everything from history/cookies/cache as soon as I found out. In addition, I have the free version which won't let you forward all incoming emails but could something like that have been setup? Second, what was the point of this attack? To what end was it? Just to make me (and everyone else I know) read an innocuous article?

Fixed Point
  • 211
  • 2
  • 7
  • 3
    Sounds like some form of XSS or CSRF hole in yahoo. – CodesInChaos Feb 02 '13 at 08:44
  • 2
    But you didn't post the email or at least the bit.ly link, so it's hard to help you. – CodesInChaos Feb 02 '13 at 09:11
  • What browser and which version are you using? – Hendrik Brummermann Feb 02 '13 at 14:37
  • I am using firefox 18.0.1 on Windows 7. – Fixed Point Feb 02 '13 at 20:15
  • 2
    Your entire Yahoo account was compromised, so yes to most of your concerns. They couldn't have enabled anything Yahoo wouldn't have let you enable, so I guess forwarding is not a problem. Changing your password _should_ have cut off any future use of the stolen login cookie (Yahoo would have to be even more backwards to neglect that). The news articles don't suggest what the objective was. It _sounds_ like a relatively short term attack... one of the answers suggests the harvested contact addresses would also be used for future spam, so maybe that's what they were after. – sourcejedi Feb 03 '13 at 10:24

2 Answers2

8

The fake MSNBC page probably contained a Cross-Site Request Forgery (CSRF) attack on the Yahoo webmail.

These attacks exploit web application functions that don't check for user's identity in a proper way, but blindly trust the session cookies. Therefore, if you were logged into Yahoo mail at the time of the attack, the web application had no way of telling whether your requests were legitimate or not, as your browser automatically sends the proper cookies to Yahoo.

You are not noticing anything strange with Yahoo's activity logs because the browser who actually sent those e-mails is yours and the attacker never gained full control of your account (but just of the vulnerable features).

I have an antivirus/firewall solution which is continuously updated. I have a wireless router with fairly strong security settings on it (not using the defaults or anything), with (medium strength) wireless password, MAC filtering and WPA-WPA2 encryption.

While these security solutions are all fine, they won't protect you from CSRF (or similar web-based attacks). The best defense mechanism in this case is using a script-blocker addon (e.g. NoScript) and only allow trusted domains to execute code.

My final suggestion is to always logout of critical web applications (e.g. home banking) after the use in order to minimize the chances of getting CSRFed and to report the malicious link to Yahoo, hoping they will fix the vulnerabilities.

Gurzo
  • 1,117
  • 6
  • 18
3

http://www.theregister.co.uk/2013/02/01/yahoo_webmail_hijacks/print.html

The JavaScript exploits an old WordPress blog security hole in developer.yahoo.com to lift the user's mail.yahoo.com cookie. Using this harvested information, crooks can masquerade as the victim to send spam or pinch contacts’ e-mail addresses.

http://arstechnica.com/security/2013/01/how-yahoo-allowed-hackers-to-hijack-my-neighbors-e-mail-account/

The vulnerability that WordPress patched last April was known as a reflected cross-site scripting bug...

Although it's not due to browser bugs per se, this type of attack can sometimes be detected and prevented by heuristics in the browser. E.g. NoScript in Firefox (even with javascript enabled for all sites). I know IE and Chrome also have filters for reflected xss. Effectiveness may vary between different filter implementations.

...If Bitdefender researchers are correct in saying the campaign targeting Yahoo accounts began roughly a month ago, and that the hack worked because administrators didn't apply a patch released more than eight months ago, this is a serious misstep on the part of Yahoo admins. Add to that Yahoo's failure to warn its users once the attacks became public and its PR department's failure to reply to my e-mail inquiries and it's even harder to excuse what's happened here. What's more, a report released Tuesday by security firm Imperva details a separate SQL injection attack that last month gave hackers control over Yahoo servers, suggesting that such problems are systemic.

Given the huge financial and competitive strains the company faces, an about-face doesn't look likely anytime soon. That's why I suggested my neighbor switch to Gmail. Google's service is by no means perfect, but it has been the undisputed leader in Web mail security. It was the first to offer always-on HTTPS protection that encrypts mail sessions from start to finish, and it employs world-class security experts

sourcejedi
  • 609
  • 4
  • 14
  • 2
    Not to argue with you (since that's just a quote) but you're usually sacrificing quite a bit of privacy when you go with GMail (unless you want to jump through a few loops when you're browsing after every time you check your e-mail). The advantage of Yahoo is that it's too small to have the widespread ad networks and social plugins that google has in just about every website. So with Yahoo, your e-mail address is less likely to be associated with your DART cookie (I'm not saying that that necessarily happens, but think about it...) – KnightOfNi Apr 04 '14 at 02:58