3 min read

Yahoo Accounts Hijacked via XSS-Type Attack

Loredana BOTEZATU

January 30, 2013

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Yahoo Accounts Hijacked via XSS-Type Attack

Popular webmail provider Yahoo has been slammed with a new e-mail-based attack that seizes control of victims’ accounts. Bitdefender Labs discovered the ongoing campaign today and are once again warning users about the dangers of clicking spammy links.

The account hijacking begins with a spam message with a short link to an apparently harmless session of the reliable news channel MSNBC (hxxp://www.msnbc.msn.com-im9.net[removed]).

A closer look at the real link reveals that the true domain is not part of MSNBC, but a crafty domain composed of subdomains at hxxp://com-im9.net.

The domain was registered in Ukraine on Jan 27 and is hosted in a data center in Nicosia, Cyprus. This page contains a piece of malicious JavaScript, disguised as the popular Lightbox library that will perform the attack in stage 2.

Before we proceed, let’s see what cookie theft is all about: security on the web is based on what we call the same-origin policy, a complex mechanism that won’t allow Site A to access resources of Site B, such as cookies. Cookies are small snippets of text created when the user logs into a system, and they are used to (among other things) remember that the account holder has already passed the authentication once. Otherwise, the user will have to log in whenever they read another e-mail or when they navigate from one page to another. So, in this context, it is obvious that a piece of code running on Site A can’t steal a cookie set by Site B. However, a subdomain of Site B can access the resources of Site B, and this is what the attackers did.

The second stage of the attack is focused on the Yahoo Developers Blog (developers.yahoo.com), which conveniently uses a buggy version of WordPress . More to the point, they exploit the SWF Uploader of the WordPress platform at http://developer.yahoo.com/blogs/ydn/wp-includes/js/swfupload/swfupload.swf. It has a security flaw known as CVE-2012-3414 (by the way, it has been patched since WordPress version 3.3.2).

Since it is located on a sub-domain of the yahoo.com website, all the attackers need to do is trigger the bug and pass a command that steals the Yahoo cookie (with the login data, for instance), and then send it “home”.

At this point, miscreants have full access to the victim’s contact list until the current session expires or the user logs out. Crooks will either spam the contacts in the stolen lists (which may include friends, family, business contacts, professors) or use these contacts to send spam e-mails and/or malware in the name of the crook.

Why is your account important for crooks?

If you are asking yourselves why crooks take an interest in your e-mail accounts and harvest the e-mail addresses of your friends, the answer is simple. To send more spam on your behalf.

Miscreants cannot register accounts automatically on webmail providers such as Yahoo, Google, Hotmail and the like because registrants need to fill in CAPTCHA. It takes time, and real people, to type the signs in. That, in turn, costs money. Stealing active accounts is a cost-effective way for an operator to automate attacks and, at the same time, allows them to read your contacts and get more victims.

What’s to be done?

Log out from your e-mail accounts every time you’re done reading or writing your e-mails.

Never click on links in spam e-mails.

Keep your antivirus and software updated.

Attack description provided by malware researchers Razvan Benchea and Octavian Minea.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read