[kwlug-disc] OT: Hotmail/Yahoo account breakins

unsolicited unsolicited at swiz.ca
Thu Feb 14 21:32:51 EST 2013

Worth forwarding all accounts to your trusted / preferred server, where 
you can use your (sandboxed?) trusted e-mail client / browser/e-mail 
combo? (Isn't gmail supposed to have some pretty good malware detection 
behind it?)

In that client you could set up connections so even these go out on the 
associated (yahoo/hotmail/gmail) smtp server, but at least you're 
receiving everything via your one trusted self / internet conduit.

gmail will let you send out as whomever you want (after a verification 
process), albeit the headers will reveal it came via a gmail smtp. 
Presumably most, most of the time, won't care. IIRC, even such messages 
routed out via gmail don't show your gmail address, just the 
yahoo/hotmail/whatever one, even though it went out via a gmail smtp server.

Something else not mentioned thus far: only read e-mail in plain text. 
Switching to non-plain text on a per message, judicious, basis.

(Perhaps it is HTML e-mail itself that created these holes / problems 
for the world, in the first place.)

I'm guessing from Paul's original message he can't prevent his users 
from using servers other than his own, within which he could establish a 
sanitizer - clamav?

On 13-02-14 07:42 PM, Khalid Baheyeldin wrote:
> I have been bitten by this email hijack.
> For regular browsing, I use Firefox with NoScript, and disable all
> Javascript and Flash for all sites, except a select few (Google for Gmail,
> Facebook because it is not functional without it, ...etc.)
> For surfing the occasional site that I need Javascript or Flash on, I use
> Chromium, and fire it up as needed, and paste the URL.
> Yahoo Mail and Hotmail, which I only use occasionally, require Javascript
> and don't degrade gracefully. So I use those on Chromium once a week or
> once a month.
> My Yahoo Mail was taken over, and someone was sending emails with links to
> my contacts with malicious links. I changed the password in Yahoo Mail, and
> the problem went away.
> So, my conclusion is that Javascript seems to be the culprit, or maybe XSS,
> but I don't recall clicking on any of the links sent by anyone.
> I have NEVER ever used Yahoo Mail or Hotmail on a mobile device, so that is
> not the attack vector for sure.

More information about the kwlug-disc mailing list