Unknown emails in Yahoo Sent Box
I have a client who looked in his Yahoo Sent box one day to find emails purportedly sent by him to his entire Contact List advertising products from a website called buynet4u.com. I verified by looking at a bounceback that the email sending was instigated through Yahoo's mail servers, originating from IP address 60.10.215.242 which according to APNIC is likely to be in China. Doing searches on the web, this style of breach is not an uncommon occurrence, certainly Hotmail users have suffered a similar hack. Questions:-
(1) How was the account breached?
(a) Remote location: Dictionary attack: Doesn't Yahoo lockout users after so many failed attempts? (The client's password is not a common one). Or some insecurity in Yahoo's datastore has been exploited (remember this has happened at Hotmail too).
(b) Man in the middle: Something like Phorm (arguably) has recorded username/password activity and it has been played back (the client has a BT broadband line).
(c) Local client computer: An embedded keylogger used in conjunction with either an emailer engine or remote hack into user's hard drive to fish out the logfile (this is on a Mac with Firefox used as browser btw). The client has only ever used Yahoo on one other computer: a pc, using Internet Explorer some months prior, password settings were not remembered on that pc.
(2) Why was the account breached?
This seems like one hell of a lot of effort just to send roughly 50 emails - client has two Contact Lists and this has now happened on separate occasions to both lists (other reported incidents found on the net are also limited in scope in the same way as this). Why didn't the attacker take full advantage of his privileged access and import a list of addresses to spam in the victim's Contact List, then send to all? Maybe he was using his own IP address to send from and wished to stay below the radar. If the attacker has the expertise to hack an email account, why did he not send out these emails using a zombie pc under his control?
(1) How was the account breached?
(a) Remote location: Dictionary attack: Doesn't Yahoo lockout users after so many failed attempts? (The client's password is not a common one). Or some insecurity in Yahoo's datastore has been exploited (remember this has happened at Hotmail too).
(b) Man in the middle: Something like Phorm (arguably) has recorded username/password activity and it has been played back (the client has a BT broadband line).
(c) Local client computer: An embedded keylogger used in conjunction with either an emailer engine or remote hack into user's hard drive to fish out the logfile (this is on a Mac with Firefox used as browser btw). The client has only ever used Yahoo on one other computer: a pc, using Internet Explorer some months prior, password settings were not remembered on that pc.
(2) Why was the account breached?
This seems like one hell of a lot of effort just to send roughly 50 emails - client has two Contact Lists and this has now happened on separate occasions to both lists (other reported incidents found on the net are also limited in scope in the same way as this). Why didn't the attacker take full advantage of his privileged access and import a list of addresses to spam in the victim's Contact List, then send to all? Maybe he was using his own IP address to send from and wished to stay below the radar. If the attacker has the expertise to hack an email account, why did he not send out these emails using a zombie pc under his control?
ASKER
Thank you for your response. I did go along that very road - yes it is easily possible to create the conditions you mention#. However, that does not explain how the Sender (who is in Chine) has managed to send to just the people in this chap's Contact list. They would have had to have access to his account to know who was in that contact list.
Don't let this comment put you off, I am looking for an error in my rationale, hence my posting this question.
# I have a network device which sends regular reports to my gmail account, purportedly coming from my gmail account. Gmail is quite happy to tell me they have come from my gmail account, even though I did not send them from there.
Don't let this comment put you off, I am looking for an error in my rationale, hence my posting this question.
# I have a network device which sends regular reports to my gmail account, purportedly coming from my gmail account. Gmail is quite happy to tell me they have come from my gmail account, even though I did not send them from there.
ASKER
That should be China btw.
Oh, and welcome to Experts Exchange. I hope I can give you some points!
Oh, and welcome to Experts Exchange. I hope I can give you some points!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just another thought - really obvious - but maybe he got phished?
ASKER
What I think you are suggesting is this:-
If he is fredbloggs@yahoo.com, and he has a contact list called fredslist. If I spoof my From address to be fredbloggs@yahoo.com and send a message to fredbloggs@yahoo.com, and bcc it to fredslist, yahoo will, upon receiving that message, send out to everyone in fredslist. Now that is worth a try!
Yahoo should just reject it saying that it was not generated within a Yahoo authenticated session, but I have a feeling about this...
If he is fredbloggs@yahoo.com, and he has a contact list called fredslist. If I spoof my From address to be fredbloggs@yahoo.com and send a message to fredbloggs@yahoo.com, and bcc it to fredslist, yahoo will, upon receiving that message, send out to everyone in fredslist. Now that is worth a try!
Yahoo should just reject it saying that it was not generated within a Yahoo authenticated session, but I have a feeling about this...
You'd have to try it and see how Yahoo goes about using those addresses. Since everyone can create the same names for lists they might have a special way of doing it. The email address for the created list could be something like fredbloggs.all@yahoo.com or fredbloggs.friends@yahoo.c
Another thing that comes to mind, without knowing the client, is something that happened to someone that works with me. Airports typically have wireless hot spots, so they're a common place for someone to set up a fake wifi hot spot called "Free Wireless Internet" or something similar and (as you were thinking originally) stage a MITM attack. If he accesses his accounts in public locations like that, someone might have gotten it and sold it to spammers. I'd be more worried about someone getting my bank login information than my Yahoo email account, but even the latter could be devastating depending on what business relationships (or otherwise) he may have with people in his contact list.
Another thing that comes to mind, without knowing the client, is something that happened to someone that works with me. Airports typically have wireless hot spots, so they're a common place for someone to set up a fake wifi hot spot called "Free Wireless Internet" or something similar and (as you were thinking originally) stage a MITM attack. If he accesses his accounts in public locations like that, someone might have gotten it and sold it to spammers. I'd be more worried about someone getting my bank login information than my Yahoo email account, but even the latter could be devastating depending on what business relationships (or otherwise) he may have with people in his contact list.
ASKER
The client has assured me that this is not feasible, his wireless is permanently disabled at home, and he does not login to the address elsewhere.
I have sent an email to him with a link to this Q and some instructions to perform a proof of concept. I will keep you posted...
I have sent an email to him with a link to this Q and some instructions to perform a proof of concept. I will keep you posted...
Thanks. Best of luck.
Remember that all of the above is just theory... he might not have created a distribution list (then again he might have). Yahoo could also have an undocumented "built in" list that contains all users in a contact list that someone may have found. Such would be a gaping security hole, but it wouldn't be the first by a large company. :-)
Remember that all of the above is just theory... he might not have created a distribution list (then again he might have). Yahoo could also have an undocumented "built in" list that contains all users in a contact list that someone may have found. Such would be a gaping security hole, but it wouldn't be the first by a large company. :-)
ASKER
I have tried this idea, doesn't produce the projected results. Back to sq 1. Looking again on google, it looks as if the most likely cause is a Javascript script which has somehow been run.
js-yamanner
http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99
is an example of such a script, but it looks as if it has been around for some and as a result Yahoo have long since protected against it. It looks as if there are many more recent examples around - one which targetted gmail (which has also been patched).
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html
Looking at the above, it's looking like good practice not to use a web-based email client.
js-yamanner
http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99
is an example of such a script, but it looks as if it has been around for some and as a result Yahoo have long since protected against it. It looks as if there are many more recent examples around - one which targetted gmail (which has also been patched).
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html
Looking at the above, it's looking like good practice not to use a web-based email client.
ASKER
This didn't solve the problem, but I value your effort in thinking about the possibilities, and on that basis am happy to put some points your way.
ASKER
ASKER
I think this is the best explanation that I've seen. The existence of an API which can be used without restriction to try out usernames, and then dictionary attack passwords once a username is confirmed valid:-
http://www.theregister.co.uk/2009/09/18/ongoing_yahoo_mail_attacks/
http://www.theregister.co.uk/2009/09/18/ongoing_yahoo_mail_attacks/
This makes me think that if they were sent from Yahoo's mail servers with the from address specified as a valid Yahoo mail user (you could easily google @yahoo.com and find tons of them), the server may have in turn shoved it in that user's "sent" box. In reality, they may not have even needed his password to send email "from" him, but since it came from the same server that holds all of his email, the server may have stuck it in the outbox.
I haven't tested this theory, but I'm thinking it could be possible. If it is what's going on (you said there were multiple reports of this) then Yahoo needs to tighten up their security a bit and maybe disable open relaying or close other security holes that they may have.