[kwlug-disc] OT: Hotmail/Yahoo account breakins

Bob Jonkman bjonkman at sobac.com
Thu Feb 28 01:38:08 EST 2013

Rashkae wrote:
> it probably wasn't the XSS exploit

I agree. The new flavour of spam all have the "sender's"[1] name in the
subject line, they all originate from Yahoo mail servers (which are also
used by @rogers.com), and they're all signed as authentic by DKIM. Or
maybe that's DMARC... What was the point of signing headers again?

[1] In scare quotes, because I don't really believe that those people
actually sent the message. They're victims, not perpetrators. I
recommend that people with compromised accounts change their passwords,
but I'm not sure how useful that is when the attack is right at the
Yahoo servers.

I can tell it's an attack on Yahoo's servers, not a drive-by
vulnerability on web browsers that access Yahoo's webmail site because
one of the message I received was "from" a friend who passed away in
2011, so I *know* he wasn't using a vulnerable browser or a malware
infested computer. The spam messages also list a number of addresses in
the To: field from the victim's addressbook. Some of the addresses
listed in the To: field from my friend were from unpublished accounts on
a mail system we administered, so I'm pretty sure Yahoo's servers were
compromised, giving the attackers access even to dormant accounts and
their addressbooks.

I've also been receiving a ton of messages where the name in the From:
field is someone I know, but the e-mail address is something like
qwertysplat at yahoo.com It seems that's a different spam engine, because
those messages are an ordinary case of header spoofing, and not
particularly well done.

In both cases my spam filter catches them nicely, except when the
message has been sent to a mailing list. At least two mailing lists I
manage have been spammed this way, and the TLUG list too. Have any
messages snuck through to the KWLUG list?

> I've had no luck finding anyone able/willing to explain this latest
> tsunami of compromised e-mail accounts.

And there doesn't seem to be anything in the online technical press,
either.  There's this:
but I'm not sure it's the same thing or an older attack (the article is
from 11 February).  Also, a source in the article claims that attack is
an XSS attack, but that doesn't explain how dead relatives could be

"Telecom have explained, I guess that it's a compromise of the Yahoo
database...and the data appears to have been stolen."



On 13-02-27 10:38 PM, Rashkae wrote:
> On 02/27/2013 10:17 PM, John Kerr wrote:
>> Is this a bigger problem than anyone inside or outside of Yahoo
>> Hotmail wants to admit to? I ask rhetorically.
> There has been a really big problem that started about midway last
> week.. Usually, I get one or two people on my client list per year
> with a compromised e-mail account.  But as of last week, just about
> everyone I know with Yahoo (Rogers) accounts has been hit.
> One of them didn't even ever use (or know they had) webmail (POP
> only), so it probably wasn't the XSS exploit most people seem to be
> assuming at play.  I've had no luck finding anyone able/willing to
> explain this latest tsunami of compromised e-mail accounts.
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20130228/d20bb1f5/attachment.bin>

More information about the kwlug-disc mailing list