Yahoo issue - hack, spoof, virus or what?

So in the last 3 days I’ve gotten 3 emails containing nothing more than a link to a spammish site (local mom invents work-at-home-penis enlagement-type) from family members or friends.

Here’s the issue- Those of us who received the spammails were all contacts of the person whose address appears to have sent the email.

They were also varied contacts - a friend, a nephew, a professional peer - not a cluster of people that would easily be gleaned from some other random email list that was being harvested.

However, no sent mail is seen in the ‘hacked account’, and it has happened quickly to multiple people. All of the accounts have been yahoo accounts. Two of the hack-ees, have been obligate mac users (only have macs, only use macs, no easy access to other computers.)

So is this a hack, a spoof, a virus or what?

Also, beyond changing their passwords asap, what do I tell them to do about it?

Spoofing the ‘from’ address in an email is ludicrously easy - it almost certainly won’t actually be from the account it purports to be.

As to how it ended up appearing to come from an address you recognised - I expect an email containing yours and some of your friends’ email addresses found its way to either a compromised machine somewhere (running a spambot trojan) or the email got harvested for addresses, which were appended in sequence to a list for spammers to use.

It could be the same attack as this recent one affecting NZ users of our largest ISP.

Sounds like the same symptoms anyway.

Yes, but the addresses are only ones that my relative has in her account, no others, yet of a wide enough range I can’t seem them being harvested from 1 or 2 or 3 emails.

This sounds a hell of a lot like it.

Hm, I was hoping for more action on this thread.

I don’t have any answers, but I was hit by this last month. Weirdly, my account is [name] (an old local address bought by Yahoo), but the spam emails went out as [name]

Very strange, and I had no control over it, since I didn’t have access to any account called [name] My computer is heavily locked down and protected, and I still have no idea how it happened. I only knew about it because I have an hotmail account that got hit, and then heard about it from some family members.

It seems to have gone away, and I never had any security issues or virus problems after that, so…?

My daughter’s Yahoo account got hacked into a couple of months ago. She had a stupidly easy password so we think that’s how they got in. At first the emails did come from her Yahoo account so she changed her password to something a little more substantial. However the emails still kept coming with her name on them but actually from another email address. Whoever got into her Yahoo account must have harvested her contacts. They quit coming. Maybe the spam blockers got wise or the spammers changed addresses to keep from getting caught?

Another way this can happen is if you send out a mass emailing with the individual addresses in the To or CC fields. There are people who sign up for such emails just to harvest and sell valid email addresses. For example I send out a mass emailing to about 300 people weekly about local bicycle rides. To help everyone’s privacy, I put the addresses in the BCC field.

My wife’s yahoo email was hacked similarly this week. The email was sent from her address with her name as the subject line. The content was just a link to something or other, and the recipients were all from her address book. The email didn’t show up in her sent folder, but there *were *a number of “failed delivery” notices that showed up in her inbox from recipients’ addresses that were no longer active, so it wasn’t just someone spoofing her email address-- it came from her account.

Maybe it’s some disgruntled Yahoo telecommuters selling off passwords.

A normal email header will have a “Sent from” address and possibly a “Reply to” address. They can be spoofed just like anything else and so bounced messages will come back to whatever address has been used in those fields. It DOESN’T mean the email was sent from her account, just that the fields were spoofed with her address.

Many of the addresses were from widely disparate contacts, such that they would not ever have been on the same email prior to the spam event, so an email harvest seems unlikely. This would argue for a hack, that is, someone was able to garner her contact list from the inside.

Also, her password was fairly good, with a number, a special character and a word, which would argue against a hack.

She also had no sent mail, which argues for a spoof.
Now you see why I asked y’all.

It’s possible the spammer used an email client rather than yahoo’s webpage to send the messages, in which case they may not have appeared in the ‘sent items’ folder.

Alternatively, the spammer could just as easily have deleted the messages from the sent folder after sending them. Just because they’re automatically created doesn’t mean they can’t be manually deleted. (otherwise an email account could get filled up with copies of sent messages effectively rendering the account unusable)

And while the from and to addresses can be spoofed, most email contains routing headers which cannot be completely faked (they’re added to by each server the message passes through). If an email wasn’t received most recently from a yahoo server, odds are the from address was spoofed.
They tend to look something like this (I made up all the names addresses, except for which does exist at that address and solely as an example):

received: from ( by ******
received: from ( by (
received: from ( by (

Thanks, I’ll check it out.

And remember, it’s not just how simple/complicated your yahoo password is, it’s also where else you use it.

Every stupid web site wants you to have a login/password. It’s frustrating to have to remember hundreds of passwords, so people tend to use the same password everywhere and the same login name (some sites use your email address as your login name).

If you use the same password everywhere, it takes just one of those sites getting compromised to compromise every other site. For example, last year the Sony Entertainment site was hacked. The hackers discovered that Sony was storing passwords and user information completely unencrypted. They posted the list of user names, birthdays, and passwords for the world to see. And, of course, a large number of those people used the same passwords everywhere.

Make sure your email password is unique. That is because if you forget your password on any other site, password recovery is usually involves sending a copy of your password to your email. You want your email password to be extra secure.

On the other hand, there are some sites where it would not be a major tragedy if someone got your password. If someone gets your password to your free Washington Post account, what are they going to do? Read some articles on your behalf? Those are the kinds of places where you can use a common password and cut down the number of passwords you need to remember.