Avatar of moorhouselondon
moorhouselondonFlag for United Kingdom of Great Britain and Northern Ireland asked on

Unknown emails in Yahoo Sent Box

I have a client who looked in his Yahoo Sent box one day to find emails purportedly sent by him to his entire Contact List advertising products from a website called buynet4u.com.  I verified by looking at a bounceback that the email sending was instigated through Yahoo's mail servers, originating from IP address 60.10.215.242 which according to APNIC is likely to be in China.  Doing searches on the web, this style of breach is not an uncommon occurrence, certainly Hotmail users have suffered a similar hack.  Questions:-

(1) How was the account breached?  

(a) Remote location:  Dictionary attack: Doesn't Yahoo lockout users after so many failed attempts?  (The client's password is not a common one).  Or some insecurity in Yahoo's datastore has been exploited (remember this has happened at Hotmail too).
(b) Man in the middle:  Something like Phorm (arguably) has recorded username/password activity and it has been played back (the client has a BT broadband line).  
(c) Local client computer:  An embedded keylogger used in conjunction with either an emailer engine or remote hack into user's hard drive to fish out the logfile (this is on a Mac with Firefox used as browser btw).  The client has only ever used Yahoo on one other computer: a pc, using Internet Explorer some months prior, password settings were not remembered on that pc.


(2) Why was the account breached?

This seems like one hell of a lot of effort just to send roughly 50 emails - client has two Contact Lists and this has now happened on separate occasions to both lists (other reported incidents found on the net are also limited in scope in the same way as this).  Why didn't the attacker take full advantage of his privileged access and import a list of addresses to spam in the victim's Contact List, then send to all?  Maybe he was using his own IP address to send from and wished to stay below the radar.  If the attacker has the expertise to hack an email account, why did he not send out these emails using a zombie pc under his control?


Vulnerabilities

Avatar of undefined
Last Comment
moorhouselondon

8/22/2022 - Mon
jrolmstead

I'm not certain (someone may have to confirm this) but typically email servers don't really require any authentication to send emails from an address, only receive them. I could climb on my mail server right now and send an email to anyone from anyone I wanted.

This makes me think that if they were sent from Yahoo's mail servers with the from address specified as a valid Yahoo mail user (you could easily google @yahoo.com and find tons of them), the server may have in turn shoved it in that user's "sent" box. In reality, they may not have even needed his password to send email "from" him, but since it came from the same server that holds all of his email, the server may have stuck it in the outbox.

I haven't tested this theory, but I'm thinking it could be possible. If it is what's going on (you said there were multiple reports of this) then Yahoo needs to tighten up their security a bit and maybe disable open relaying or close other security holes that they may have.
ASKER
moorhouselondon

Thank you for your response.  I did go along that very road - yes it is easily possible to create the conditions you mention#.  However, that does not explain how the Sender (who is in Chine) has managed to send to just the people in this chap's Contact list.  They would have had to have access to his account to know who was in that contact list.  

Don't let this comment put you off, I am looking for an error in my rationale, hence my posting this question.

# I have a network device which sends regular reports to my gmail account, purportedly coming from my gmail account.  Gmail is quite happy to tell me they have come from my gmail account, even though I did not send them from there.
ASKER
moorhouselondon

That should be China btw.

Oh, and welcome to Experts Exchange.  I hope I can give you some points!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
jrolmstead

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
jrolmstead

Just another thought - really obvious - but maybe he got phished?
ASKER
moorhouselondon

What I think you are suggesting is this:-

If he is fredbloggs@yahoo.com, and he has a contact list called fredslist.  If I spoof my From address to be fredbloggs@yahoo.com and send a message to fredbloggs@yahoo.com, and bcc it to fredslist, yahoo will, upon receiving that message, send out to everyone in fredslist.  Now that is worth a try!  

Yahoo should just reject it saying that it was not generated within a Yahoo authenticated session, but I have a feeling about this...
jrolmstead

You'd have to try it and see how Yahoo goes about using those addresses. Since everyone can create the same names for lists they might have a special way of doing it. The email address for the created list could be something like fredbloggs.all@yahoo.com or fredbloggs.friends@yahoo.com... you'd have to check that out.

Another thing that comes to mind, without knowing the client, is something that happened to someone that works with me. Airports typically have wireless hot spots, so they're a common place for someone to set up a fake wifi hot spot called "Free Wireless Internet" or something similar and (as you were thinking originally) stage a MITM attack. If he accesses his accounts in public locations like that, someone might have gotten it and sold it to spammers. I'd be more worried about someone getting my bank login information than my Yahoo email account, but even the latter could be devastating depending on what business relationships (or otherwise) he may have with people in his contact list.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
moorhouselondon

The client has assured me that this is not feasible, his wireless is permanently disabled at home, and he does not login to the address elsewhere.

I have sent an email to him with a link to this Q and some instructions to perform a proof of concept.  I will keep you posted...
jrolmstead

Thanks. Best of luck.

Remember that all of the above is just theory... he might not have created a distribution list (then again he might have). Yahoo could also have an undocumented "built in" list that contains all users in a contact list that someone may have found. Such would be a gaping security hole, but it wouldn't be the first by a large company. :-)
ASKER
moorhouselondon

I have tried this idea, doesn't produce the projected results.  Back to sq 1.  Looking again on google, it looks as if the most likely cause is a Javascript script which has somehow been run.  

js-yamanner
http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99

is an example of such a script, but it looks as if it has been around for some and as a result Yahoo have long since protected against it.   It looks as if there are many more recent examples around - one which targetted gmail (which has also been patched).

http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html

Looking at the above, it's looking like good practice not to use a web-based email client.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
moorhouselondon

This didn't solve the problem, but I value your effort in thinking about the possibilities, and on that basis am happy to put some points your way.
ASKER
moorhouselondon

I found this today, which might be of interest:-

http://blog.cenzic.com/public/item/207752
ASKER
moorhouselondon

I think this is the best explanation that I've seen.  The existence of an API which can be used without restriction to try out usernames, and then dictionary attack passwords once a username is confirmed valid:-

http://www.theregister.co.uk/2009/09/18/ongoing_yahoo_mail_attacks/
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.