Email attack exploits vulnerability in Yahoo site to hijack accounts - harrisonsiquene

Hackers behind a recently detected email attack campaign are exploiting a vulnerability in a Yahoo website to hijack the email accounts of Yahoo users and use them for spam, according to security researchers from antivirus vendor Bitdefender.

The attack begins with users receiving a spam electronic mail with their name in the dependent bloodline and a short "check knocked out this page" message followed by a trifle.ly shortened link. Clicking on the link takes users to a website masquerading as the MSNBC news site that contains an clause about how to pass wate money piece working from internal, the Bitdefender researchers aforementioned Wednesday in a web log post.

Initially glance, this seems no different from other work-from-home nobble sites. All the same, in the background, a piece of JavaScript computer code exploits a cross-site scripting (XSS) exposure in the Yahoo Developer Network (YDN) Blog site in order to slip away the visitor's Yahoo session cookie.

How IT works

Academic term cookies are unique strings of text edition stored by websites inside browsers in order to remember logged-in users until they sign out. Web browsers utilize a security system mechanism titled the same-origin policy to forbid websites opened in dissimilar tabs from accessing each other's resources, like session cookies.

The like-origin policy is ordinarily enforced per domain. E.g., Google.com cannot accession the session cookies for yahoo.com even though the user might be logged into both websites at the unvarying metre in the same browser. Nonetheless, conditional the cookie settings, subdomains can access session cookies coiffur by their parent domains.

This appears to be the case with Yahoo, where the drug user remains logged in regardless of what Yahoo subdomain they visit, including developer.yahoo.com.

The knave JavaScript encode loaded from the unreal MSNBC website forces the visitor's browser to forebode developer.yahoo.com with a specifically crafted Uniform resource locator that exploits the XSS vulnerability and executes additional JavaScript code in the context of the developer.yahoo.com subdomain.

This additional JavaScript code reads the Yahoo exploiter's session cookie and uploads it to a website controlled by the attackers. The cookie is then wont to access the user's email account and send the spam email to entirely of their contacts. In a sense, this is a XSS-powered, self-propagating electronic mail worm.

The exploited XSS vulnerability is in reality situated in a WordPress component titled SWFUpload and was patched in WordPress version 3.3.2 that was released in April 2022, the Bitdefender researchers said. Nevertheless, the YDN Web log site appears to be using an outdated version of WordPress.

How to avoid fuss

After discovering the attack happening Wednesday, the Bitdefender researchers searched the company's spam database and found very similar messages geological dating back almost a month, said Bogdan Botezatu, a senior e-terror psychoanalyst at Bitdefender, Thursday via email.

"IT is extremely difficult to calculate the success rate of such an attack because it can't be seen in the sensor meshing," he same. "Notwithstandin, we estimate that roughly one-hundredth of the Spam we have processed in the past calendar month is caused away this peripheral."

Bitdefender reportable the exposure to Yahoo on Wednesday, but it still appeared to be exploitable on Th, Botezatu said. "Some of our examine accounts are still sending this specific type of spam," he said.

In a statement sent later happening Thursday, Yahoo said information technology had patched the vulnerability. "Yahoo takes security and our users' data badly," a Yahoo representative said via email. "We recently knowledgeable of a exposure from an external security firm and confirm that we have fixed the vulnerability. We promote concerned users to change their passwords to a strong password that combines letters, Numbers, and symbols; and to enable the second login challenge in their account settings." Botezatu advised users to avoid clicking on links received via electronic mail, especially if they are shortened with bit.ly. Determining whether a link is malicious earlier orifice it terminate be erect with attacks like these, he said. In this case, the messages came from multitude the users knew — the senders were in their contact lists — and the malicious site was well-crafted to look like the respectable MSNBC portal, he said. "It is a type of attack that we expect to be highly successful."

Botezatu informed users to avoid clicking on links received via email, especially if they are shortened with bit.ly. Determining whether a link is malicious ahead opening information technology can be sticky with attacks like these, he said.

In this case, the messages came from people the users knew—the senders were in their liaison lists—and the malicious site was well-crafted to look like the sizeable MSNBC portal, he said. "It is a type of attack that we expect to represent highly successful."

Updated 1/31/2013 with Yahoo comments

Source: https://www.pcworld.com/article/456674/email-attack-exploits-vulnerability-in-yahoo-site-to-hijack-accounts.html

Posted by: harrisonsiquene.blogspot.com

Share this post