Unpatched Wordpress Instance on Yahoo Blog Leads to Cookie Theft
A spam wave that has been circulating for roughly a month is stealing Yahoo login credentials by exploiting an old – yet unpatched – vulnerability in a component of the Yahoo Developers blog.
The spam message features a bit.ly shortened URL that takes the user to a web page impersonating the popular MSNBC page, but which turns out to be located on a series of subdomains on hxxp://com-im9.net.
Whois information for the domain reveals it was bought in Ukraine and hosted in a data center in Nicosia, Cyprus.
Since the exploitable component is located on a sub-domain of the target website, the same-origin policy does not prevent the exploit code access to cookies, which are subsequently sent to the attacker. Once they have the log-in cookie, they can authenticate into the victim’s account and send spam or harvest contacts’ e-mail addresses for other spam campaigns. We believe this is the account recruitment stage of the operation and we expect the next wave of messages to feature links to malware.
Bitdefender is currently blocking access to the malicious pages used in the cookie-harvesting campaign. We have also notified Yahoo about the incident and provided the proof-of-concept documentation.
Attack description provided by malware researchers Răzvan Benchea and Octavian Minea.
UPDATED: We have confirmed that his attack does not work on Yahoo.co.jp. The .jp Developer blog seems to be powered by a different blogging platform, which is not vulnerable to the CVE we mentioned in the article, so the attackers won’t have what to bounce their code off of in order to execute code in the context of the Yahoo.co.jp site.
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
November 08, 2021
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware
September 16, 2021
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021