10

I was yesterday informed by some friends that they received spam mails with my name as sender. The sender addresses look like firstnamelastname@spacepc.pt and firstnamelastname@revistaplot.com with the subject line "from: Firstname Lastname" and the mail containing only a link and my name as signature (and one mail also stated "Sent from my iPhone").

It seems like the mails are not sent from my Yahoo mail (as the sender is not Yahoo and they are not in my sent mails folder), but the list of people receiving these mails has to come from my Yahoo account as I only have mailed with them from Yahoo! Note: they are not from my contact list! It looks to me that the addresses come from my sent mail folder as one receiver is listed twice, once with the correct mail and once with a typo I made when typing the address some months ago. The list has to be extracted between April/May and yesterday which I can say for sure because of some of the recipients which I did not mail with before that time.

I have changed the password and security questions asap and checked also the alternate email address, cell phone, website connections and account activity but could not see anything fishy. The account activity goes back to 8th of July and there was nothing I could not explain.

Some questions:

  1. I read about this XSS hack from 2012/2013 but thought the hole was closed. Is it still open?

  2. The last couple of weeks I almost only used my iPhone for online activity. Could it be that there is some virus/malware on the phone? I only downloaded apps from the official Apple store!

  3. Is it enough to change the password and security questions or should I take some further steps?

    Note: my password was strong with both upper and lower case, numbers and special characters and was changed 6 months ago. Only mistake: I used the same password on a couple of other (trusted) sites.

  4. How could did this happen? I am nearly paranoid when it comes to security and I did not click on any link in any email (I even cannot recall receiving some strange mails lately).

EDIT: Found this article today Hackers exploit flash vulnerability in Yahoo Ads

Even though the article does not say a word about this kind of attack I was exposed to this might be an explanation! I swear that I did not surf around on shady pages :)

Next question: how can I make sure that my PC is clean? When the attack was run I was using my Win7 laptop (even though the mails were sent while I was offline). I am now writing from my Linux comp as I do not dare to turn on the Win7.

Community
  • 1
user1204121
  • 201
  • 1
  • 2
  • 5
  • Do you have those 2 mail addresses in your smartphone's address book? – ott-- Jul 31 '15 at 12:50
  • @ott-- You mean those two that were sender addresses? Nope, they use my firstname and lastname and I don't know those providers at all. – user1204121 Jul 31 '15 at 13:22
  • Is your name really unique in the world? – ott-- Jul 31 '15 at 13:27
  • @ott-- No of course not. But as I said, I don't have those addresses in my address book. – user1204121 Jul 31 '15 at 13:29
  • @ott-- What were you trying to tell me by asking this question? Anything I did not understand? – user1204121 Jul 31 '15 at 13:49
  • A spy app could have extracted it from your address book and sent it to the spammer. – ott-- Jul 31 '15 at 14:02
  • Ok I see. But not the case as these mails are not in my address book. It seems to me that the spammer opened these accounts to send mails that should look like coming from me. – user1204121 Jul 31 '15 at 19:43
  • 1
    For what it's worth, I had a similar thing happen to me, and my Yahoo password was unique. No sign of anyone actually using the account, the emails didn't come from me, but clearly accessing information from the account. The most likely causes, imo, are: (1) CSRF making use of my Yahoo session, (2) data breach at Yahoo or a third-party that they sent mail content to. Cure for #1 is to log out of your Yahoo session after every use, for #2 don't use Yahoo. – kdgregory Aug 01 '15 at 11:24
  • `they are not from my contact list! It looks to me that the addresses come from my sent mail folder as one receiver is listed twice, once with the correct mail and once with a typo I made when typing the address some months ago.` - how do you know the typo'd email address received something as a typo'd address wouldn't be able to get the spam mail? – SilverlightFox Aug 03 '15 at 11:23
  • @SilverlightFox Because some friends forwarded the mails to me and I could see that both addresses were in the recipient list. The mails were sent to app. 10 addresses at a time. In addition my address book is empty as I simply do not use it. – user1204121 Aug 03 '15 at 19:21
  • @kdgregory Thanks! Were you fine after changing the password? – user1204121 Aug 03 '15 at 19:22

2 Answers2

3

I used the same password on a couple of other (trusted) sites.

Maybe you do not want to reuse the same password for important sites, like Email

See also this Dropbox story. And XKCD at the bottom of the answer.

Email can be easily forged. If one of your friends let you look at the mails "from you", there are certain headers that should indicate whether the mail was really sent by Yahoo or not. Have a look at why-is-it-even-possible-to-forge-sender-header-in-e-mail.

For the rest of your questions:

  1. I read about this XSS hack from 2012/2013 but thought the hole was closed. Is it still open?

Very unlikely that they keep an exploit from 2012/2013 open until today. There are ways to mitigate XSS attacks. In case you use Firefox on your main PC, have a look at noscript. (as mentioned in the answer to the question you probably meant)

  1. The last couple of weeks I almost only used my iPhone for online activity. Could it be that there is some virus/malware on the phone? I only downloaded apps from the official Apple store!

While Apple offers some tight control over what they accept as apps, there are exploits from time to time. Hard to tell from a distance. The shared password seems a more likely attack vector.

  1. Is it enough to change the password and security questions or should I take some further steps?

Using a separate password is a very good step. Depending on your level of paranoia, 2-factor-authentication might be a way to go. Do seriously consider noscript.

xkcd on password reuse

Community
  • 1
serv-inc
  • 441
  • 1
  • 4
  • 11
  • 2
    I know I know...won't happen again. But as I said it were trusted sites like LinkedIn. I don't think that they improve their income by selling passwords :-) – user1204121 Jul 31 '15 at 13:20
  • Thanks for your good explanation! I have now turned two-step verification on. I can easily see why it is a bad idea to have the same password for LinkedIn and my mail but I don't believe this is the culprit as this would imply that LinkedIn got hacked. My best guess is a "drive-by attack" on some infected website. One thing I don't understand though is why the spammer did not send the mails from my address but opened other accounts in my name. Makes no sense to me... – user1204121 Jul 31 '15 at 19:48
  • @user1204121: Yes, a 'drive-by-attack' is well possible, too. Maybe the attacker only had exploit code to read your address book, thus could do only that. – serv-inc Aug 01 '15 at 15:02
  • This might be the culprit! http://bits.blogs.nytimes.com/2015/08/03/hackers-exploit-flash-vulnerability-in-yahoo-ads/ I also received two of the same mails from some other persons two days ago. Found them in my spam folder today. – user1204121 Aug 04 '15 at 20:06
0

It seems like the spammers are using a mail server, or perhaps more simply PHP's sendmail function; this has the ability to send an email whilst appearing to be anyone from any specified address.

Mostly emails sent with this technique can be caught out by looking at the 'Sent By' field in many email clients:

enter image description here

Some email clients include security, to check if the email address and the mailed-by field are on the same domain; if not, these emails are mostly marked as spam.

However it could equally be a security hole in Yahoo's mail servers, and there have been reports of users having the same experience that you are having:

While some holders of compromised accounts say that they clicked on an infected link—a fake MSNBC page, apparently—many claim that the first they knew of being hacked was when people in their contacts lists said they had received dodgy emails from them.

As you've already changed your password, there's nothing more you can do here, other than closing your Yahoo account. You're most likely in the clear for now, it's quite likely that a hacker simply guessed your password, and made a script to send some dodgy emails & delete any evidence of the activity on your account (e.g, deleting the 'sent' email, e.t.c).

AStopher
  • 777
  • 6
  • 18
  • Thanks! I doubt that the mails were sent from my account as I otherwise would have received a lot of out-of-office mails etc. but the recipient list has to come from my account. Hard to imagine that the password was guessed as it was quite secure. – user1204121 Jul 31 '15 at 10:22