We asked the users who got in touch with us if they got such an email and clicked on the link. Reports were mixed: some said they got an email and clicked the link, some said they got the email but didn’t click, and others said they never got such an email.
Amongst those that did click on a link, however, there was at least one aspect that recently seems to corroborate: the attackers have apparently been referencing a non-existent MSNBC news report in the email. The bit.ly URL that is included (we’re not linking it here for obvious reasons) redirects to a fake MSNBC page that reportedly hijacks your Yahoo Mail account immediately if you are logged in.
Yet many insist they never got such an email or click on such a link: their accounts were simply hijacked out of the blue. These individuals only learned about the incident from contacts who received shady emails from them.
Below are three excerpts from what Yahoo users have been telling us about these attacks. The first one comes from a Yahoo user who is part of a larger organization:
We were hacked at the end of January. They spammed everyone in the “contact” folder and deleted all the contacts. We just had another yahoo account hacked yesterday. Not only did it spam the entire “contact” folder, but we are unable to send out e-mails or access our “secret question” to change the password.For reference, here’s the timeline of events up until today:
There was a toll free number to call and when we did so we spoke with people who spoke very poor English, and they asked for a one time fee of $100 for assistance with the issue. When we refused they hung up on us. We called the number twice, the first time we spoke with a woman and the second time we called we spoke with a man. Both times we called when we refused the payment of $100 we were hung up on.
- On January 7, a lone hacker by the name of Shahin Ramezany uploaded a video to YouTube demonstrating how to compromise a Yahoo account by leveraging a DOM-based cross-site scripting (XSS) vulnerability exploitable in all major browsers. The same day, Yahoo got back to TNW with two statements, first saying it was investigating and secondly confirming it fixed the flaw.
- On January 8, researchers from Offensive Security let TNW know they had discovered that the vulnerability is still present, demonstrating a workaround showing they can still exploit the flaw in question.
- On January 11, Yahoo issued a third statement to TNW: “The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”
- On January 28 and January 30, two Yahoo users contacted TNW to say their account was compromised via what they believed was the same way that was described in our previous articles.
- On January 31, we followed up with a story regarding a known flaw in the SWF Uploader component of Yahoo’s developer blog as pointed out by Bitdefender Labs. Yahoo says it fixed this flaw and recommended affected users change their passwords.
- On February 25, February 27, March 1, and March 4 we received more emails from Yahoo users saying their accounts had been compromised.
Yahoo is the third largest email provider after Microsoft and Google. Regardless of whether the flaws haven’t been patched properly or if these are new flaws, it’s simply unacceptable for Yahoo Mail users to have their accounts hijacked so easily and for Yahoo to stay passive for so long. The company needs to do more. We recommend that users should minimize financial and personal information sent across with yahoo mails. nextweb
No comments:
Post a Comment