Spyware, Viruses, & Security forum

Question

Yahoo email hijack - help please

by nlowin / December 19, 2012 10:45 AM PST

I received an email tonite from an old friend. It had a link in it. I clicked it. Mistake. WIthin a minute my Yahoo account was spamming my address book with the same link. It was not spoofing. The emails are in my sent folder. Once I saw what happened I changed my password and logged off of Yahoo. The issue seems very related to this CNET article ...

http://news.cnet.com/8301-1009_3-57554589-83/yahoo-mail-hijacking-exploit-selling-for-$700/

This article details a "cross-site scripting (XSS) vulnerability in Yahoo.com". Afterwards I ran scans using AVG and Malewarebytes. No issues found by either.

So it seems I have no Maleware ? It was all browser based ? I changed the password and scanned. Am I done ? Am I safe ?

Help

Answer This Ask For Clarification
Discussion is locked
You are posting a reply to: Yahoo email hijack - help please
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Yahoo email hijack - help please
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
Changing your password..
by Carol~ Forum moderator / December 21, 2012 1:10 AM PST

nlowin..

As far as I'm concerned, you took the correct steps. Changing your password being the most important.

In the future, I would be extra cautious about clicking on links in emails. You don't need a XSS attack to find yourself in trouble. My intent is not to add insult to injury ... just stressing the point.

'Am I done? Am I safe?' As long as you realize, you are your computers first line of defense. More so than the security software you have installed.

¢ ¢
Carol

Collapse -
Answer
HMM
by TheHunter2309 / January 2, 2013 2:40 PM PST

I don't really believe your in trouble anymore, if you did all the steps you listed above, then you're probably safe. As far as I know. I do recommend you use norton internet security, it's cheap, and the 3rd, disputably second best antivirus in existence.

Collapse -
Answer
Some computers die from this.
by Mysteryunknown / January 5, 2013 12:29 AM PST

The majority of the computers I have seen with similar issues usually have a far deeper imbedded infection that mainly exists to recreate itself if removal is done, also these cross-scripting weaknesses are in virtually every major site on the net. One linked to Google was one of the worst and destroyed the hard drive after creating a partition to remain even if a full restore was done.. These also are very likely to have a logger, I mention this because you mentioned changing your password and then logging off. If a logger was installed then they just got your new password. I do question the crosscripting in this event since you did click on a link, there would be no need for crossscripting, clicking that link was the point everything changed.

It must be understood that some of the browser redirect infections can change their name every day, so no definition can be created. Antivirus or Malware can usually not even find a problem with the more sophisticated malwares, but activity by the PC viewed is the easiest way to detect by the user themselves. If your email is shut down by Yahoo it will be likely that the hack is still effective and sending out spam, but can be employed to gather bank data, etc. Another indication is all of your browsers start redirecting you to other sites. I do agree with TheHunter2309, that Norton Antivirus is better, or even Avast, Malwarebytes is fine.
Check everything and if you need to restore to factory settings, use DVD Restore and try to delete even your restore points before attempting restore. If you can get the real data on the partitions from the manufacturer, and then check to see if there are any extra partitions. Use the details view of the drive as the graphic view is hard to tell if there are extra partitions, they are so small.

Would love to hear how this has all turned out.

Collapse -
Answer
Update from original poster - more comments desired
by nlowin / January 7, 2013 8:31 AM PST

3 weeks have passed. No more visible effects. I've ran scans w AVG ( now uninstalled ), Malewarebytes, and AVAST ( Still installed ). Nothing found. To clarify, I changed my email password from a different PC so it couldnt be logged. That said if I have a logger its certainly seen my new password since. But it's also invisible to AVAST. I am also seeing lots of similar emails coming from other people. The one difference is that mine is the only example I've seen which left the sent emails in my sent folder. Thoughts ?

Collapse -
Good Password Change
by Mysteryunknown / January 7, 2013 4:33 PM PST

I think your manner of password change was a good method, and others need to employ it. A clean report by an antivirus is almost useless, although it is good to clean out the stuff it can detect. It may help for you to review the forum run by the antivirus and even participate with this issue. Slowly AV products are reluctantly admitting in such areas that they can not detect all issues. They do offer however offer methods of examining your registry and re-examination with review of such logs. Many are just other users, so consider what is asked for and make sure it is a logical step.

As Carol noted, "you are your computer's best line of defense", but it sure is getting rough. I have seen several "complete restores" fail to remove some issues, of course any other drive including usb flash drives can be infected as well or Cds created after infection date. Hope you deleted that email from inside your yahoo account, sounds like you are aware and likely did. Am curious if you recall any parts of the link that you clicked, but don't post the full link online.

Have thought of one other thing, is your email account used in connection with any gaming site that requires lowered security settings such as shutting off pop-up blocker, lowering your cookie settings to allow more cookies from more sources, etc? These are common browser attack methods.

I do believe your issue started when you clicked that link, but am considering multiple events. If your browser has been cracked it usually causes redirects to sites you didn't want to go to. That is easy to spot.

I continue mentioning all this mainly because many current issues are far harder to deal with than what you did, but you might have just been lucky. The email from your friend must have been infected and so would wonder what your friend says from his end as to his email account- was it infected & was it Yahoo too? I'm pretty sure Yahoo is using Norton Security now to scan all emails, so somehow this got through Norton if it was a real email in your Yahoo inbox.

Collapse -
More info
by nlowin / January 8, 2013 12:14 AM PST
In reply to: Good Password Change

I have not experienced any browser hijacking since the email hijack. I do not do any online gaming. I have not had any issues that seem attack oriented since the hijack.

If I do a restore it is a complete restore of the entire hard drive from a disk image. The image is also pretty old. It's a full day job and I'd rather not. Foolproof but very time consuming.

I also note that it seems thousands of Yahoo accounts have been hacked in the last few days. I'm getting links emailed to me from all over the world. They got a friends Yahoo ID even though she hasn't been logged on for days. Yahoo is not secure.

Thanks

Collapse -
FYI and FWIW
by Carol~ Forum moderator / January 8, 2013 12:21 AM PST
In reply to: More info
Collapse -
I saw that
by nlowin / January 8, 2013 3:33 AM PST
In reply to: FYI and FWIW

Thanks. saw that article before I started this thread. Thats how I came to the XSS conclusion. It's fixed they say. Yet I continue to get spam from all sorts of yahoo IDs. Yahoo seems to be allot more compromised than they are letting on.

Collapse -
Do you have SSL option enabled?
by Carol~ Forum moderator / January 8, 2013 5:18 AM PST
In reply to: I saw that
Collapse -
Perhaps this will unfold one leaf at a time
by Mysteryunknown / January 8, 2013 10:21 AM PST
In reply to: More info

This is definately not the browser hijacker that I was anticipating, but would also say that there may be some downloads in the background which could be hiding, again someone should do a full registry log review by code writers of an infected system. Looks like Yahoo has done this but multiple forms of this attack all linked back to a similar hacker seem to be in the wild. Here is a link to a review from Australia and back to youtube showing what to do, (Actually what not to do);
http://www.lifehacker.com.au/2013/01/new-exploit-affecting-yahoo-mail-users-dont-click-anything-suspicious/
Very interesting also is the comment there that;
"The systems deployed by Yahoo7 in Australia are often slightly different to the parent Yahoo company"
Seems today that the bigger the target, the more likely to have an exploit dug up and abused. Diversification may be a partial answer eventually with sites having key security points in random rotation so no script can invade a constantly changing configuration. Remember some doing that with their Windows ME changing key addresses of the operational systems so no automated script would run on their machine, of course that was after they decided that updates were doing no good...That and a few fallbacks to Windows 98 basic stable programs that could entwine within ME to stabilize the whole operating system. There were certain computer abilities that left many wanting to save the CPU despite hating ME, so some odd workarounds came about. But I do remember that diversity did make some of those computers very solid even under attack.
In this case however it may just be that Yahoo has the infections and not anyone's home computer.Or Not??? As the exploit knowledge spreads there will very likely be new varients.
When mentioning the diversity above I was kinda just kicking future ideas around , not ready for prime time, as there is the updating issue if you start renaming everything. There is a mail shield on Avast which may be of some help as long as you add Yahoo. Also see this page on Avast for help in removal of malware;
http://forum.avast.com/index.php?topic=53253.0
if you have more events. That has some tiring work to find the issues, and much time may be spent in that work.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the school year

Smart tech for smart students

Forget the pencils and notebooks. Gear up your students with these portable and powerful note-taking machines.