Widespread Compromise Of Yahoo-Backed Email In New Zealand

First time accepted submitter Bitsy Boffin writes "Xtra, the largest ISP in New Zealand, which outsources email provision to Yahoo, has in the last two days been subject to a widespread email compromise, causing potentially thousands of accounts to send spam messages to every address in their webmail address books. Discussion at Geekzone centers around this potentially being a continuation of the Yahoo XSS exploit. While Telecom NZ, the owners of Xtra internet service provider indicate that the problem was "resolved", reports of spam from its members continue unabated. Telecom NZ are advising those affected to change their passwords."

I have a question for you -

Do you Yahoo? Wow I can see from that slogan why Yahoo never became google.

bellsouth.net accounts too

I have a bellsouth.net dsl account email address and I have seen spam originating from my own account sent to all addresses in my contact list. Something majorly borked at yahoo.

Re:bellsouth.net accounts too

[illumnatLA]

I have been getting a *ton* of spam emails the past couple of days from some of the following domains which appear to be handled through Yahoo...

• .
• bellsouth.net
• swbell.net
• att.net
• snet.net
• sbcglobal.net
• ameritech.net

It's basically a random message with a URL attached... many of them .ru domains. They're being sent to the .mac account that I've had since whenever it was .mac was originally started. There were a one or two initially starting back around Wednesday and it's become about 10 a day the past couple of days. All from different email addresses from the domains listed above.

Re:bellsouth.net accounts too

[hairyfeet]

You went to a site like Redtube or XHamster and watched a porn video didn't you? Frankly this bug has been going on for awhile, it seems to be an "on again off again" kind of cat and mouse game between the guys writing the bug and yahoo. I wrote in my journal nearly a year ago about the "Yahoo porn bug" and how it would send spam from the entire address book (including to the person who hit the bug so they always end up with spam from themselves) and it sounds like the NZ folks are running into it now just by clicking a link in their email.

In any case it sounds like the same bug I have been seeing folks get off and on for nearly a year just ramped up. Maybe the porn bug was an early test?

Re:bellsouth.net accounts too

[Redmancometh]

I would venture a guess at russian business network mass scananning + java/flash drivebys.

Re:bellsouth.net accounts too

[hairyfeet]

Not with the Yahoo porn bug as I took one of the spare boxes at the shop and decided to do a little test to see how it basically worked.

What it did was hide in the ads or in the page itself, as I saw it keep happening even if ABP was installed and it called a hidden iFrame that would load the yahoo login page and if the person didn't have a master password set that would have to be input to unlock the password auto fill (which most folks don't) it would use the auto fill to log in to the person's yahoo page and send spam through the entire address book. I even uninstalled Flash to see if its a Flash bug (I don't install Java on any systems) and it still works just fine without Flash as its in the pages themselves.

It was and is actually a pretty smart little trick. they aren't sending any data to themselves directly as the messages are just a single hyperlink so its hard for many AVs to catch it, auto fill is something everyone takes for granted with modern browsers so nearly everybody will have it, its a smart little hack. I know the only way I was able to make my users immune was to switch them from FF to Comodo Dragon because dragon like the other Chromium based runs in low rights mode in Win 7 which seems to kill their ability to call the hidden iFrame. For those on XP I had to give them a separate browser from what they used daily that is used for porn and ONLY porn so it has no yahoo mail addresses to call.

Re:bellsouth.net accounts too

[TranquilVoid]

Interesting and quite clever, however both my sister-in-law and wife suffered from this in the past two weeks. I checked my wife's Yahoo login history and at the time of the spam there was a login from another country (Japan). Were this a hidden frame login I'd expect it to appear local.

Re:bellsouth.net accounts too

[hairyfeet]

Its probably a variation, one thing we have learned from the exploit kits and the like is if they figure out something that works suddenly it will be used in a bazillion different ways, like some flu bug it mutates like crazy.

Re:DID NOT NO DINOS HAD YAHOO !!

[viperidaenz]

We only have one dinosaur here.

remember!

Remember, the original concept of the internet as a peer to peer network was a bad idea. Centralizing to just a handful of services is a good idea, and we should all use the cloud for everything, because that has no drawbacks.

Re:remember!

[DKlineburg]

I see what you did there. I don't have mod points here though.

Re:remember!

[thenendo]

Of course, decentralization has its own drawbacks. Remember when SMTP servers would happily forward mail on behalf of any connecting client?

Related to huge spike of spam?

[Smurf]

I wonder if it's a coincidence that in the last three or four days I started to receive a lot more spam to my Yahoo mail address. By "a lot more" I mean three or four times more than what I was receiving a week ago each day.

I don't have any relation with anyone in New Zealand, so my guess is that it's indeed just a coincidence. But still the timing makes me wonder.

Re:Related to huge spike of spam?

[viperidaenz]

or the New Zealand Yahoo is not the only one compromised, just the only one to admit it.

Re:Related to huge spike of spam?

[bill_mcgonigle]

or the New Zealand Yahoo is not the only one compromised, just the only one to admit it.

Two of my friends on Facebook were talking about spam originating from their Yahoo! accounts yesterday and I received a spam from a third (or, I should say one made it through my spam filter). None of them have any ties to New Zealand, as far as I know.

Re:Related to huge spike of spam?

[DKlineburg]

Once in the yahoo proverbial back door, I wouldn't be surprised if they got more. I don't know what yahoo's architecture is like though.

Re:Related to huge spike of spam?

[TheGratefulNet]

> Once in the yahoo proverbial back door, I wouldn't be surprised if they got more. I don't know what yahoo's architecture is like though.

sounds, to me, like you work there.

Re:Related to huge spike of spam?

[hawguy]

or the New Zealand Yahoo is not the only one compromised, just the only one to admit it.

Two of my friends on Facebook were talking about spam originating from their Yahoo! accounts yesterday and I received a spam from a third (or, I should say one made it through my spam filter). None of them have any ties to New Zealand, as far as I know.

My Yahoo account was hacked a month or so ago - I had a 12 character password including mixed case (in non-obvious places), digits and a special symbol, so i don't think the password was brute forced... I think they have a bigger problem than they have admitted.

Re:Related to huge spike of spam?

[pepty]

They didn't get your password, a service Yahoo set up for developers conveniently allows hackers to get your session cookie. For whatever reason, they haven't patched it.

Re:Related to huge spike of spam?

[daver!west!fmc]

Yeah, something like that. This was going on months ago with pacbell.net/sbcglobal.net/att.net/yahoo.com addresses, a little before that with yahoo.de addresses and has been recurring as the spammers discover another XSS exploit in Yahoo's amazing web pile. "The Yahoo XSS exploit" really understates the case. I think Yahoo fixes them, but they've got a lot of code to churn through and I doubt anyone really knows what all is in there.

The one I looked at was an e-mail with one-line body urging me to check out a link that appeared to be a news page about some work-at-home thing. What wasn't obvious was the little iframe sourced from something in kr.yahoo.com; that got some JavaScript injected into it to capture cookies and send 'em to some other server, which I presume captured the Yahoo Mail session cookie and permitted the spammers to use it to trawl another lucky winner's contacts and/or inbox and send folks more of the same.

Re:Related to huge spike of spam?

[DeathByLlama]

I think it's much more likely that this problem exists for more than just New Zealand's yahoo servers. A couple years back I deleted my rarely-used Yahoo account because I got a hacked email sent to my common email address from it (as did others in my address book). I hadn't been logged in for quite some time, and I had a very secure password. Whatever the security flaw was, I really don't think it was at the user end (I consider myself to be pretty adept at computer security), and I didn't want any part of it.

It was obviously really

Sophia was in the barn the whole time. I cried when she came out and Rick had to shoot her.

Re:DID NOT NO DINOS HAD YAHOO !!

[LordLucless]

Lucky you; we've got 226 over here.

Xtra hasn't existed for years

Telecom NZ phased out the xtra branding many years ago...it only lives in email addresses....hence why it's referred to in this story I guess :)

Re:Xtra hasn't existed for years

[Bitsy+Boffin]

Heh, I think it could probably be said they unsuccessfully phased it out years ago. Most people around here when you say Telecom Broadband would say "oh you mean xtra" :-)

Spoofing sender e-mail address

[manu0601]

A Yahoo customer is reported by TFA saying

The spam from my own address must be generated on the telecom/yahoo server as there is no other way it can happen

It is shockingly easy to spoof sender e-mail address. I do not expect any Yahoo user to know it, but the journalist that quoted this person should know that, and mitigate this claim of Yahoo server breach

Re:Spoofing sender e-mail address

[Bitsy+Boffin]

The headers of all these SPAM messages indicate traversal from the Yahoo SMTP servers, and the SPAM were targetted specifically at people in the victim's address book. It wasn't a simple Joe Job.

Re:Spoofing sender e-mail address

[manu0601]

Sure, but the customer quoted in the article just talks about sender e-mail address.

Re:Spoofing sender e-mail address

[whoever57]

I have personally seen too many SPAM emails that were sent using compromised Yahoo accounts, and yes -- they really were handled by Yahoo's servers (and, no, I don't have a Yahoo account -- it wasn't my account that was compromised).

Re:Spoofing sender e-mail address

[MobileC]

Not just address book.

I had mail sent to everyone in my Sent Items too, so they were trolling all the folders for addresses.

Re:Spoofing sender e-mail address

Ditto. (US user here.) Emails were sent to all my contacts and sent-items addresses last week. They were from an account I don't recall logging in to via web-email for a long time, just IMAP and POP3. And I don't recall clicking on any suspicious links. I'm no email header expert, but based on a particular IP address it looks like the email got into Yahoo's system from a verizon.net machine in Boston.

Additional Media Article, Confirms Compromise

[Bitsy+Boffin]

http://www.stuff.co.nz/technology/digital-living/8287236/Xtra-email-accounts-compromised

The company initially blamed a deluge of compromised accounts on a successful phishing attack, saying customers were tricked into clicking on scam emails, but has now acknowledged a "second attack" that was outside customers' control.

"We understand from our own technical investigations that the security of some YahooXtra email customer accounts may have been compromised, making it possible for emails to be sent from these accounts without the customers' knowledge," the company said in a statement.

It's the XSS flaw still active

[NewtonsLaw]

I got hit by this last week and blogged about it, griping that surely a company with the resources of Yahoo should be able to fix such a critical flaw faster than seems to be the case.

It would appear that Yahoo is happy to announce "fixexd" while the hackers simply exploit yet another hole in the company's shaky cloud.

Tragic.

Would Google be so lax in sorting out what is clearly a very critical issue that is affecting a large (and rapidly growing) number of users?

Re:It's the XSS flaw still active

Just about the only step you can take to avoid getting hit are to log out of your YahooMail session as soon as you've finished reading/sending email and make sure you don't open any new webpages while a YahooMail session is active.

This is what I've done to take care of anything important online since about 1999. A web browser is like a big DMZ as far as I care, and should always be started with a clean state before doing anything requiring a secure environment. No saving passwords or auto-filling forms either. What a mess.

Of course you could try turning off Javascript -- but then your YahooMail account won't work anyway :-(

When did this change? I recall accessing Yahoo mail without javascript as late as 2010, but I have not used it since then.

US accounts also.

US yahoo accounts through SBC global (remember them?) are also being compromised. Changing password does not help. :( They'll just instantly reset your account by using the 'secret questions'. A friend had to call them to get the issue resolved. The tech watched the account getting reset over and over as they were trying to fix the issue... lol

Re:US accounts also.

[Shamanarchy]

A week ago, my yahoo.com account was hacked and used to send spam (phishing URLs) to every address known to my account. The key element for the hack seemed to be an initial access via the "Yahoo! Mobile" interface. Then a web browser was used to access my email. The IP address for these accesses resolved to India. I reported this to Yahoo customer support, but never heard back from them. My annoyance level is increased because I never asked or authorized for the Yahoo! Mobile interface to be enabled. Hidden many levels down is an option to disable that interface.

How did they contact yahoo?

I tried to contact yahoo about spam from their servers.

The email listed in their ARIN record doesn't work

Abuse@yahoo.com points you to some stupid website

and there's no way to contact anyone through that, or they turned it off.

The above should be a criminal offense.

More information on the SPAMMERs

[schizz69]

I have had numerous of these SPAM messages, being an IT technician for a lot of small businesses, who do, unfortunately still rely on their ISP email addresses. (I have tried and tried to get them off these). All the messages I have received so far have been redirecting to the following sequential domains: http://workathomefree1.com/ through to http://workathomefree19.com/ With the following whois information: (unsurprisingly based in India) Domain Name: WORKATHOMEFREE1.COM Registrar: TRUNKOZ TECHNOLOGIES PVT LTD. D/B/A OWNREGISTRAR.COM Referral URL: http://www.ownregistrar.com/ Name Server: NS1.FASTNSHERE.COM Name Server: NS2.FASTNSHERE.COM With the assumed false contact information Mahdi Aparicio Mahdi Aparicio (@workathomefree12.com) Rua Manuel Antunes 1149 Londrina PR,86057-120 BR Tel. +55.4348843928 I have emailed the registrar to shutdown the domains on Saturday 9.30am (NZ Time GMT +13) but not holding out much hope of them acting on it.

Here's what's been happening.

Someone's compromised account sends out email to everyone in the contact list with a link such as this in the body:

http://nelsonnobresurfboards.com/libraries/simplepie/house.htm

Clicking the link takes the recipient to a page requesting they login to AOL, Gmail, Yahoo! Mail and Windows Live, etc in order to view the link content.

Of course they are bogus login fields, instead transmitting the details to the scammer/spammer.

Almost everyone in New Zealand falls for this scam every fucking time because everyone in New Zealand is obsessed with property; Our property market crash has yet to occur. (And it's going to be big, because NZ has the most overpriced property in the OECD.)

So if Kiwis were such a bunch of drooling property worshiping fucktards, none of this shit would ever have happened.

Re:Here's what's been happening.

Don't worry, Australians are at least as bad. The only thing propping up our insanely overinflated property market is mining profits. If those ever go, you can kiss the entire Aussie economy goodbye too.

So much for FreeBSD...

China, take note.
(Whom do you think REALLY broke into the FreeBSD distro servers?)

From all over

[tuxfragbait]

Not just xtra.co.nz, but also yahoo.com, yahoo.com.au even ymail.com

The nice thing about outsourcing...

[sdnoob]

is that you have someone else to blame when things go wrong.

The bad thing about outsourcing....

when things do go wrong, there's usually more than enough blame to go around, and you look bad too anyway.

I am not surprised

The only thing that could be regarded as surprising is that this did not happen sooner. Xtra is shit and Telecom are fucking clueless. This vuln was raised last year and Telecom sat around with their heads their asses to their shoulders. But the void of clue flock to them, believing the advertorial bullshit. They are the AOL of New Zealand, only worse.

Australia too

[MichaelSmith]

I just sent this to a friend who uses Yahoo. His email was broadcasting spam late last week. He thought it was his PC but maybe not...

Nice of google to censor the demo video

[fatphil]

http://www.youtube.com/watch?v=GJsMRDyC9eY
"This video has been removed as a violation of YouTube's policy on depiction of harmful activities. "

One could repeat the very first comment about centralised services here too.