Related Links

Related Stories

  • Yahoo's Malvertising Issue is Bigger Than Originally Thought
    Following news that Yahoo had been serving poisoned adverts (malvertising) to visitors, researchers have been discovering that the problem is deeper and more severe than originally thought. An Israeli firm has described a bitcoin mining operation, while Cisco has discovered a huge click-fraud operation.
  • Yahoo Has Been Serving Malware To Its Users
    On Friday 3 January, Dutch security firm Fox-IT detected malicious activity on some of its clients' networks – with a common factor: they had all previously visited Further investigation revealed malvertising on the Yahoo site – and it is possible that millions of users have been infected via Yahoo.
  • Reform Government Surveillance – an Alliance of Hypocritical Tech Giants?
    Eight of the major US tech giants at the heart of the Prism scandal have formed an alliance urging governments 'worldwide' to think again about mass surveillance. AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo have all signed an open letter to 'Mr President and Members of Congress.'
  • Yahoo Swap Bug Bounty Tshirt for $15,000
    On Tuesday this week Infosecurity reported that Yahoo had offered the equivalent of $12.50 (being a voucher redeemable in the company shop) as a reward for responsibly disclosed vulnerabilities. Launch of a new Yahoo reward program has now been rushed forward.
  • Yahoo Offers $12.50 as Bug Bounty
    Major companies have realized both the PR and practical value in paying security researchers a bounty for the responsible disclosure of bugs and vulnerabilities they find: it demonstrates a responsible attitude towards security while being a relatively inexpensive way of finding problems.

Top 5 Stories


Yahoo Admits to Unauthorized Activity on Yahoo Mail

31 January 2014

A brief security update from Yahoo yesterday announced that it had recently "identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts." Affected users have been prompted to change their passwords.

Yahoo doesn't provide much information. It doesn't say when this activity was noticed, how many accounts have been affected, nor who it thinks might be responsible. It is, however, suggesting that Yahoo itself has not been hacked. "Based on our current findings," wrote Jay Rossiter, SVP for platforms and personalization products, "the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems."

He adds that "malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts," and that the attack specifically sought "names and email addresses from the affected accounts' most recent sent emails."

Reports that Yahoo Mail has been hacked seem to be exaggerated. The implication here is that the email addresses and the passwords could have been taken from any one or more of the recent large scale breaches elsewhere (Adobe, Target, Neiman Marcus, Michaels etcetera). Any user reusing their Yahoo password in any of those accounts would automatically be compromised.

However, since the attackers would not know which of the passwords had been reused, they developed their own 'malicious software' to automate the probes. If ever users needed a further demonstration that passwords should never be reused over multiple accounts, this is it.

The motivation for the attack is, however, a little obscure. "One likely reason is to harvest valid email addresses from the sent folder in order to deliver spam runs," Fraser Howard, security researcher with Sophos, suggested to Infosecurity. "I bet if you could survey the contacts of victims, those contacts would have received spam messages from that victim in the time window following the attack – and perhaps additional spam runs from some other account later. A valid email address has some monetary value to spammers; it might only be small for a single address, but in bulk, there is profit to be made."

This would explain the automated attack, working on the assumption that Yahoo would quickly recognize and block the activity. "A quick harvest of information ensures value (profit) even once access is subsequently blocked," he said. 

But why the attack specifically targeted the 'sent' folder remains a puzzle, "unless," posits ESET senior research fellow David Harley, "it was simply to prove that they could or a precursor to a different kind of attack, or a cover for a more specifically-targeted attack. If you wanted to ensure that if your targeted attack was detected the victim wouldn’t realize the attack was targeted, you might try to hide the tree in the forest."

It is known that DDoS attacks are sometimes used to disguise more targeted hacks, and a similar approach may apply here; but that still doesn't explain the focus on the 'sent' folder. "If it's for harvesting addresses," Harley told Infosecurity, "it suggests that the attacker is looking for addresses particularly associated with the victim rather than mailing lists that may be ‘receive only’. Does that suggest plans for targeted social engineering? I don’t know..."

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×