“Help, my Yahoo! email is sending out spam!”
My client had been hacked and their Yahoo! email account had sent out spam email messages to everyone in their Contact List. I investigated.
Update: January 17, 2013. Looks like this problem is a cross site scripting exploit that steals your Yahoo! login cookie to do its dirty work as discussed on these sites –
My client first realized that something was wrong when their inbox contained 3 emails with the subject “Failure Notice.” The sent mail folder contained 13 sent messages, each to a single person in the client’s Contacts List that my client did not send. Each email was an obvious spam email with a subject like “hi” and containing the single sentence “take a look, see what you think http://bit.ly/UN7Atp”
I advised my client to immediately change their Yahoo! password for the account then shut down their PC and give it to me for analysis.
I interviewed my client about any activity leading up to the incident and we reviewed the Yahoo! account’s settings. My client admitted to receiving a suspicious email from a person that they knew and out of curiosity clicked the link in the message. The link took them to an Internet web page that appeared to be nbcnews.com. The page was touting a work from home scheme that could net $5,000 a month. Realizing it was a scam, my client closed the web page.
Here is the email that started the problem –
Note personal info is blocked out on the screens shown here.
This email was from a person that my client knew so the From name was valid. The Subject “___ hi!” contained my client’s first name. Although my client knew not to click links in suspicious emails, my client was fooled by the link’s appearance. Note that the link was crafted to appear to be from “msn.msnbc.com” which seems like a valid web address for a well known news media company.
The link takes one to this web site:
The web site at first appearance is NBCNEWS.com with a story about a work from home scheme that can net over $5,000 per month. Two things about this web page appear bogus – first the URL reveals that the page is hosted at the domain “com-careers-9.net” and second is this is not the type of story that a reputable news media site would carry.
Visiting whois.com reveals that the domain “com-careers-9.net” is owned by a company in Shanghai China and the DNS name servers are in Russia.
This is suspect for two reasons: first an American company isn’t likely to use Chinese and Russian hosting services and second China and Russia are known to be source of scams and malware.
Next we look at one of the Failure Notice emails in the inbox. Here is the email header –
The two most interesting items I have boxed in red. First, the email was sent from IP 126.96.36.199. Using an IP location website (infosniper.net) reveals that this IP is in Russia and owned by Megafon.
Megafon is the second largest mobile phone company in Russia. Second, the Message-ID contains “androidMobile” which suggests that the spam originated from a “Yahoo! mail for Android application on Android,” see http://www.forensicswiki.org/wiki/Yahoo!_Mail_Header_Format
My client’s Yahoo! email sent folder contains 13 spam email messages sent in a period of about 3 minutes –
Spam emails were sent individually to all people in my client’s Contacts List. The subject line varied, often contained the recipient’s name. The body always contained the same text and link: “take a look, see what you think http://bit.ly/UN7Atp”
My client is using Windows 7 64-bit with all recent updates applied. IE 9.0 was used to open Yahoo! mail and the suspect web site. IE contains all the usual add-ons including Java. Microsoft Security Essentials is installed and running.
All the Yahoo! account settings were reviewed and there is no evidence that any were changed. My client changed the “password-reset info.”
Yahoo! mail keeps a record of “Recent Login Activity” and all listed activity was from “CA, US” and the IP of the client.
The computer was scanned for malware (ie key loggers) with the following anti-malware programs and none was found –
- Microsoft Windows Defender Offline Full
- Malwarebytes Full in safe mode
- SuperAntiSpyware Full in safe mode
Yahoo! help has a page for Top abuse and spam articles for your Yahoo! Account.
Other people have experienced the same issue –
This issue has been going on for a while, maybe since July 2012. Note early reports of the cause have been debated.
Here is a good description of the hack by “Laughing Bird” suggesting a cross site scripting exploit: http://www.bleepingcomputer.com/forums/topic479022.html
My theory on how this happened is this – The Yahoo! account credentials (username/password or cookie) were stolen by visiting the suspect web site – by a known flaw or zero day flaw in IE or Java or other software or a drive by malware infection. The account info was harvested by the web page hosted in Russia and this information was used to impersonate the true account owner and send out the spam messages. Since the spam messages originated from Megafon in Russia, it could have been a computer using Megafon as an ISP or a computer tethered to a mobile phone using Megafon or an Android device. Yahoo! Mail Web Service has a Web API that can send mail so a computer program could have been used. Odd that the login did not show in Yahoo! accounts recent activity. Possibly a human sent the spam emails with the stolen credentials but I doubt it. Possibly the Android app Yahoo! mail was used (it is implicated in the email header) or exploited but this may just be a red herring.
The spammers now have the the victim’s Contact List info so more spam could be sent.
This security problem needs to get fixed.
The take away is don’t click on email links that you don’t trust. But you knew that.
Stay safe out there.
Let me know your thoughts.