Yahoo Accounts Hijacked via XSS-Type Attack

[Dewbie]

From HOTforSecurity:

Popular webmail provider Yahoo has been slammed with a new e-mail-based attack that seizes control of victims’ accounts. Bitdefender Labs discovered the ongoing campaign (Jan. 30) and are once again warning users about the dangers of clicking spammy links.

Details here.

[Bruce B]

From HOTforSecurity:

Popular webmail provider Yahoo has been slammed with a new e-mail-based attack that seizes control of victims’ accounts. Bitdefender Labs discovered the ongoing campaign (Jan. 30) and are once again warning users about the dangers of clicking spammy links.

Details here.

I suppose if it was Microsoft doing it instead of an unknown, it might be considered something to turn over to PR and spin it as MS serving the user and improving the web experience.

If it were the Government, every byte of information on the Internet belongs to the many elected and appointed individuals anyway, there wouldn't even be a problem. Except the Government can get the information by asking in a way that is hard to refuse, so no need for hacking.

I know you are talking about a crime, but with the examples the individuals in government and big business set for us, what makes it crime? Because paupers are the ones doing it?

By the time President Clinton was done, the very existence of sex in America was in question, depending on how you define it maybe.

As if there isn't enough actual crime in America, the FBI is interested salacious email like this make up:

• Subject: Your Talk At Harvard
  
  Dear General Petraeus,
  
  Hearing you speak at Harvard was a real eye-opening experience. I'd like to thank you for giving your time, and sharing your wisdom. I wanted to ask if there was any way I could talk to you further about my research work. Your help would be invaluable.
  
  Best Regards, Paula Broadwell
  
  Hello Ms. Broadwell,
  
  It was my pleasure to speak to you and the rest of those gathered. I would be glad to talk with you further. Perhaps we can set up a time to meet in person, and you can explain to me in more specific terms what you're looking for. Do you like waffles?
  
  Sincerely, Gen. David Petraeus
  
  P.S. And please, call me David.
  
  Hi David,
  
  I do very much like waffles, and please call me Paula. I am very happy you're willing to hear what I have in my mind. I will let your schedule dictate our rendezvous. Just say the word and I'll be there.
  
  Many thanks! Best, Paula.

I know a 21 year-old girl. Her mother spends more time in prison than at home. Her father never seemed to notice or take interest in her or bother with parenting.

Her family has always been whatever gang of kids she hangs out with. How do we expect to turn out?

California Governor Jerry Brown is pardoning people at a slightly slower rate than the People convict them.

One man pardoned tried to use his attorney power and position to get sex off a minor in trouble. He would give her freedom if she would give him sex.

A grandmother convicted of killing her grandson, even after the Supreme Court decisions saying she should be in prison was pardoned by him.

One hundred and forty-nine in two years.

What am I actually wanting to say?

Maybe when corruption is at the top in so many levels, it seems natural to me for their abuse of power and disregard for people filter back down through the ranks.

These days it seems even the Secret Service expects the privilege of stealing services from prostitutes with impunity. Well, maybe not so much as before.

I want to go down on record with this statement: None of this looks like Walton's Mountain to me.

~

[ETP]

This theft of account data from email servers is becoming more common and I was hit yesterday. There is little you can do to prevent it but you can take steps to alert yourself to it and to minimise the effects.

1. Use a client to access your hotmail account such as Outlook/Thunderbird and restrict the contacts list on the server to only a couple of names. (Ideally only people you know to be tech savvy and likely to recognise spam)

2. Make sure that you include your own email address on the contacts list held on the server. If your account is compromised spam will be sent to everyone on your list and you will immediately be alerted when you appear to send yourself an email.


If you do suffer an attack swiftly change your password and security questions/ answers. Also alert the users on your web based contact list - which will only be a couple of people if you follow this advice.

[mini-jaguar]

Yahoo mail has been having security problems since the 1990s, nothing new.

Also, nothing new that some accounts have gotten malware that takes all the people from their friend lists and gives it to sketchy accounts, scammers I suppose, in the messenger.

[nooby]

Ooops so what other email provider should I use?
Gmail also have been hacked or? hotmail also hacked?

What about http://www.superheromail.com/
would that be for real or a humorous joke?

he writes he is tired of all the big ones and created it
for to get a secure email but that domain name is childish?

[GustavoYz]

There is nothing new on any of that, just a clever phising campaign using a XSS attack against people who click spammy links from unknown senders.

I see no reason to be worried, the e-mail protocol and any decent mail server is quite segure if you don't aloud mime files to be loaded (which should happen by default) and don't click spam links.

[Dewbie]

I just received two more spam-link e-mails from hijacked Yahoo! accounts.
Judging by the sheer volume of complaints, this seems to affect Yahoo! more than others.

British Telecom recently dumped them after numerous complaints from customers.
(Apparently, Yahoo! has other priorities. )