The Straight Dope

Go Back   Straight Dope Message Board > Main > General Questions

Reply
 
Thread Tools Display Modes
  #1  
Old 02-27-2013, 06:48 PM
Attack from the 3rd dimension Attack from the 3rd dimension is offline
Guest
 
Join Date: Jul 2007
Yahoo issue - hack, spoof, virus or what?

So in the last 3 days I've gotten 3 emails containing nothing more than a link to a spammish site (local mom invents work-at-home-penis enlagement-type) from family members or friends.

Here's the issue- Those of us who received the spammails were all contacts of the person whose address appears to have sent the email.

They were also varied contacts - a friend, a nephew, a professional peer - not a cluster of people that would easily be gleaned from some other random email list that was being harvested.

However, no sent mail is seen in the 'hacked account', and it has happened quickly to multiple people. All of the accounts have been yahoo accounts. Two of the hack-ees, have been obligate mac users (only have macs, only use macs, no easy access to other computers.)

So is this a hack, a spoof, a virus or what?

Also, beyond changing their passwords asap, what do I tell them to do about it?
Reply With Quote
Advertisements  
  #2  
Old 02-27-2013, 07:27 PM
Mangetout Mangetout is offline
Charter Member
 
Join Date: May 2001
Location: England
Posts: 51,984
Spoofing the 'from' address in an email is ludicrously easy - it almost certainly won't actually be from the account it purports to be.

As to how it ended up appearing to come from an address you recognised - I expect an email containing yours and some of your friends' email addresses found its way to either a compromised machine somewhere (running a spambot trojan) or the email got harvested for addresses, which were appended in sequence to a list for spammers to use.
Reply With Quote
  #3  
Old 02-27-2013, 07:33 PM
Kiwi Fruit Kiwi Fruit is offline
Charter Member
 
Join Date: Apr 2003
Location: Hamilton, NZ, Male
Posts: 578
It could be the same attack as this recent one affecting NZ users of our largest ISP.

Sounds like the same symptoms anyway.
Reply With Quote
  #4  
Old 02-27-2013, 09:10 PM
Attack from the 3rd dimension Attack from the 3rd dimension is offline
Guest
 
Join Date: Jul 2007
Quote:
Originally Posted by Mangetout View Post
Spoofing the 'from' address in an email is ludicrously easy - it almost certainly won't actually be from the account it purports to be.

As to how it ended up appearing to come from an address you recognised - I expect an email containing yours and some of your friends' email addresses found its way to either a compromised machine somewhere (running a spambot trojan) or the email got harvested for addresses, which were appended in sequence to a list for spammers to use.
Yes, but the addresses are only ones that my relative has in her account, no others, yet of a wide enough range I can't seem them being harvested from 1 or 2 or 3 emails.

Quote:
Originally Posted by Kiwi Fruit View Post
It could be the same attack as this recent one affecting NZ users of our largest ISP.

Sounds like the same symptoms anyway.
This sounds a hell of a lot like it.
Reply With Quote
  #5  
Old 02-28-2013, 11:11 AM
Attack from the 3rd dimension Attack from the 3rd dimension is offline
Guest
 
Join Date: Jul 2007
Hm, I was hoping for more action on this thread.
Reply With Quote
  #6  
Old 02-28-2013, 11:28 AM
Sateryn76 Sateryn76 is online now
Guest
 
Join Date: Jul 2007
I don't have any answers, but I was hit by this last month. Weirdly, my account is [name]@sbcglobal.net (an old local address bought by Yahoo), but the spam emails went out as [name]@yahoo.com.

Very strange, and I had no control over it, since I didn't have access to any account called [name]@yahoo.com. My computer is heavily locked down and protected, and I still have no idea how it happened. I only knew about it because I have an hotmail account that got hit, and then heard about it from some family members.

It seems to have gone away, and I never had any security issues or virus problems after that, so....?
Reply With Quote
  #7  
Old 02-28-2013, 12:34 PM
JerrySTL JerrySTL is offline
Guest
 
Join Date: Jan 2013
My daughter's Yahoo account got hacked into a couple of months ago. She had a stupidly easy password so we think that's how they got in. At first the emails did come from her Yahoo account so she changed her password to something a little more substantial. However the emails still kept coming with her name on them but actually from another email address. Whoever got into her Yahoo account must have harvested her contacts. They quit coming. Maybe the spam blockers got wise or the spammers changed addresses to keep from getting caught?

Another way this can happen is if you send out a mass emailing with the individual addresses in the To or CC fields. There are people who sign up for such emails just to harvest and sell valid email addresses. For example I send out a mass emailing to about 300 people weekly about local bicycle rides. To help everyone's privacy, I put the addresses in the BCC field.
Reply With Quote
  #8  
Old 02-28-2013, 12:41 PM
Happy Lendervedder Happy Lendervedder is offline
Guest
 
Join Date: Dec 2001
My wife's yahoo email was hacked similarly this week. The email was sent from her address with her name as the subject line. The content was just a link to something or other, and the recipients were all from her address book. The email didn't show up in her sent folder, but there were a number of "failed delivery" notices that showed up in her inbox from recipients' addresses that were no longer active, so it wasn't just someone spoofing her email address-- it came from her account.

Maybe it's some disgruntled Yahoo telecommuters selling off passwords.
Reply With Quote
  #9  
Old 02-28-2013, 03:56 PM
Kiwi Fruit Kiwi Fruit is offline
Charter Member
 
Join Date: Apr 2003
Location: Hamilton, NZ, Male
Posts: 578
Quote:
Originally Posted by Happy Lendervedder View Post
The email didn't show up in her sent folder, but there were a number of "failed delivery" notices that showed up in her inbox from recipients' addresses that were no longer active, so it wasn't just someone spoofing her email address-- it came from her account.
A normal email header will have a "Sent from" address and possibly a "Reply to" address. They can be spoofed just like anything else and so bounced messages will come back to whatever address has been used in those fields. It DOESN'T mean the email was sent from her account, just that the fields were spoofed with her address.
Reply With Quote
  #10  
Old 02-28-2013, 04:48 PM
Attack from the 3rd dimension Attack from the 3rd dimension is offline
Guest
 
Join Date: Jul 2007
Quote:
Originally Posted by JerrySTL View Post
My daughter's Yahoo account got hacked into a couple of months ago. She had a stupidly easy password so we think that's how they got in. At first the emails did come from her Yahoo account so she changed her password to something a little more substantial. However the emails still kept coming with her name on them but actually from another email address. Whoever got into her Yahoo account must have harvested her contacts. They quit coming. Maybe the spam blockers got wise or the spammers changed addresses to keep from getting caught?

Another way this can happen is if you send out a mass emailing with the individual addresses in the To or CC fields. There are people who sign up for such emails just to harvest and sell valid email addresses. For example I send out a mass emailing to about 300 people weekly about local bicycle rides. To help everyone's privacy, I put the addresses in the BCC field.
Many of the addresses were from widely disparate contacts, such that they would not ever have been on the same email prior to the spam event, so an email harvest seems unlikely. This would argue for a hack, that is, someone was able to garner her contact list from the inside.

Also, her password was fairly good, with a number, a special character and a word, which would argue against a hack.

Quote:
Originally Posted by Kiwi Fruit View Post
A normal email header will have a "Sent from" address and possibly a "Reply to" address. They can be spoofed just like anything else and so bounced messages will come back to whatever address has been used in those fields. It DOESN'T mean the email was sent from her account, just that the fields were spoofed with her address.
She also had no sent mail, which argues for a spoof.


Now you see why I asked y'all.
Reply With Quote
  #11  
Old 02-28-2013, 05:10 PM
dstarfire dstarfire is offline
Guest
 
Join Date: Oct 2009
It's possible the spammer used an email client rather than yahoo's webpage to send the messages, in which case they may not have appeared in the 'sent items' folder.

Alternatively, the spammer could just as easily have deleted the messages from the sent folder after sending them. Just because they're automatically created doesn't mean they can't be manually deleted. (otherwise an email account could get filled up with copies of sent messages effectively rendering the account unusable)

And while the from and to addresses can be spoofed, most email contains routing headers which cannot be completely faked (they're added to by each server the message passes through). If an email wasn't received most recently from a yahoo server, odds are the from address was spoofed.
They tend to look something like this (I made up all the names addresses, except for example.com which does exist at that address and solely as an example):
Code:
received: from example.com (192.0.43.10) by ******.hotmail.com
received: from mailrouter.legitdomain.com (3.3.3.3) by example.com (192.0.43.10)
received: from smtp.senderdomain.com (4.4.4.4) by mailrouter.legitdomain.com (3.3.3.3)
Reply With Quote
  #12  
Old 02-28-2013, 05:41 PM
Attack from the 3rd dimension Attack from the 3rd dimension is offline
Guest
 
Join Date: Jul 2007
Thanks, I'll check it out.
Reply With Quote
  #13  
Old 02-28-2013, 07:14 PM
Alley Dweller Alley Dweller is offline
Guest
 
Join Date: Feb 2011
And remember, it's not just how simple/complicated your yahoo password is, it's also where else you use it.

Every stupid web site wants you to have a login/password. It's frustrating to have to remember hundreds of passwords, so people tend to use the same password everywhere and the same login name (some sites use your email address as your login name).

If you use the same password everywhere, it takes just one of those sites getting compromised to compromise every other site. For example, last year the Sony Entertainment site was hacked. The hackers discovered that Sony was storing passwords and user information completely unencrypted. They posted the list of user names, birthdays, and passwords for the world to see. And, of course, a large number of those people used the same passwords everywhere.

Make sure your email password is unique. That is because if you forget your password on any other site, password recovery is usually involves sending a copy of your password to your email. You want your email password to be extra secure.

On the other hand, there are some sites where it would not be a major tragedy if someone got your password. If someone gets your password to your free Washington Post account, what are they going to do? Read some articles on your behalf? Those are the kinds of places where you can use a common password and cut down the number of passwords you need to remember.
Reply With Quote
Reply



Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 03:49 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@chicagoreader.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Publishers - interested in subscribing to the Straight Dope?
Write to: sdsubscriptions@chicagoreader.com.

Copyright 2013 Sun-Times Media, LLC.