Yahoo Email Virus
Last weekend I received an unusual email from my sister.
She had sent the message to 6 or 7 people, some of them family members. The subject line was something unintelligible.
And the content was a sales pitch for certain male performance enhancing recreational pharmaceuticals.
Naturally, there was a link to a website that held the chemical answer to all of mankind’s ailments, or maybe just man’s ailments.
My immediate thought was, “You got hacked!”
So I sent a text message telling her of the amusing email I had received and that she probably clicked on some link that she shouldn’t have clicked on while reading her mail. If this email account was tied to her Facebook account, the offending activity could have just as easily come from there.
She sent me a text back, thanking me for the info and she set about changing her passwords on her various accounts.
I didn’t think anymore about the email, chalking it up to pilot error on her part.
Hotmail Joins The Act
Two days later, I get an email from a good friend of mine up in New England. Nothing on the subject line and again sent to about 10 recipients, some of whom I recognized. There was nothing in the body of the message either except for one really ugly URL.
Rather unusual, I thought, and a small warning went off in my head. I considered writing her a message, but it was late and I was in the middle of writing something else that I had to get out for the next day.
“I’ll send her something tomorrow” and continued on with what I was doing.
The next morning, I received a third email from a co-worker. Again, nothing in the subject line, sent to about 10 recipients, some of whom I recognized (I actually work with some of the people), and again there was nothing in the body of the message except for one really ugly URL.
That’s when the small warning turned into a blaring klaxon. Something was wrong.
I still had all of their emails, so I immediately set out to discover the common thread. That’s when I realized that two out of the three were from people using Yahoo mail and the third used Hotmail.
Yahoo Email, Hotmail, And Twitter Succumb To A Year Old Vulnerability
This immediately brought to mind the CSS Cross Site Scripting security hole that I had read about last week on Ars Technica. Returning to the site where I had read the article originally, I discovered that Ars Technica had a new article on how Twitter had succumbed to the CSS Cross Site Scripting attack earlier that morning.
A search on Google for Yahoo email Cross Site Scripting revealed a twitter timeline with lots of people complaining about their Yahoo email accounts sending out Spam emails and deleting contacts out of their address book.
It appears that somebody’s been busy!
All of this behavior was outlined in the paper from a research team at Carnegie Mellon. Everything from the way Twitter could be hacked to how this exploit would effect Yahoo mail and Hotmail.
While the team at Twitter fixed the problem within a couple of hours, I still don’t see any type of message, problem identification, or resolution for Yahoo mail or Hotmail.
And there are still people on the Twitter timeline tweeting on how they are receiving or sending out Spam emails from their yahoo account.
If you are using some version of Internet Explorer, you may be causing yourself extra grief since the hack seems to need the lax method that IE handles malformed CSS. You might want to try a different browser until some of this ugliness clears up.
Here are the two articles from Ars Technica on this problem.
Microsoft investigates public IE CSS XSS flaw; Twitter, Hotmail vulnerable
Twitter worms spread quickly thanks to blatant security flaw
No comments:
Post a Comment