I have a client who looked in his Yahoo Sent box one day to find emails purportedly sent by him to his entire Contact List advertising products from a website called buynet4u.com. I verified by looking at a bounceback that the email sending was instigated through Yahoo's mail servers, originating from IP address 188.8.131.52 which according to APNIC is likely to be in China. Doing searches on the web, this style of breach is not an uncommon occurrence, certainly Hotmail users have suffered a similar hack. Questions:-
(1) How was the account breached?
(a) Remote location: Dictionary attack: Doesn't Yahoo lockout users after so many failed attempts? (The client's password is not a common one). Or some insecurity in Yahoo's datastore has been exploited (remember this has happened at Hotmail too).
(b) Man in the middle: Something like Phorm (arguably) has recorded username/password activity and it has been played back (the client has a BT broadband line).
(c) Local client computer: An embedded keylogger used in conjunction with either an emailer engine or remote hack into user's hard drive to fish out the logfile (this is on a Mac with Firefox used as browser btw). The client has only ever used Yahoo on one other computer: a pc, using Internet Explorer some months prior, password settings were not remembered on that pc.
(2) Why was the account breached?
This seems like one hell of a lot of effort just to send roughly 50 emails - client has two Contact Lists and this has now happened on separate occasions to both lists (other reported incidents found on the net are also limited in scope in the same way as this). Why didn't the attacker take full advantage of his privileged access and import a list of addresses to spam in the victim's Contact List, then send to all? Maybe he was using his own IP address to send from and wished to stay below the radar. If the attacker has the expertise to hack an email account, why did he not send out these emails using a zombie pc under his control?