Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User bobble_bob
(experienced) Sun 03-Mar-13 11:28:08
Print Post

Strange email (spoofing?)


[link to this post]
 
Got a few different email accounts, and just got an email sent to my Hotmail account from my Yahoo Account. Subject was just my name, and had some dodgy link which i didnt click. I looked and a few other addresses were copied into the message (from what i can see, websites ive used to buy things from using that email address).

Anyway went into my Yahoo account and got a few "delivery failed" messages which were the email addresses copied in that are probably no longer active. No sign that my Yahoo account has been hacked and PC scan is clean.

Few weird things tho - Dunno how they got my password. Its unique to just that email address and isnt used for anything else, PC is clean and plus i hardly type it in as its auto log in. Email wasnt sent to all contacts but only a few (plus a fake email address ive never heard of). Normally they just mass email the whole contact list. Nothing in sent or deleted items (i know these can be deleted tho)

So is it just someone spoofing my email address or what?
Standard User bobble_bob
(experienced) Sun 03-Mar-13 11:45:22
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
To add, 2 other people on another forum had this happen to them within the last 24 hours. Something going on with Yahoo Mail?
Standard User shinerweb
(newbie) Sun 03-Mar-13 13:03:03
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
I'd concur that something strange is definitely going on with Yahoo.

I've now received a whole series of Spamvertised links within emails from Yahoo users, but strangely, I've also recevied them from multiple BT Internet users...
BT Internet uses the Yahoo email system.

Some of the BT Users are people I know wouldn't fall for phishing.

I've had 100's of these emails hit my servers over the past 3 days when it first started from over 50 different yahoo accounts.

I've got a Yahoo account myself, and have had a quick look but nothing there so far.
In a previous security breach, the hackers would login to your Yahoo account, send the email and you could see it in your "Sent" folder.
A later version of the hack would delete the message from your "Sent" folder to try and hide it, but you could then find it in your "Trash" folder.

If you have a Yahoo account, it is worth changing the password to a strong/secure password, and keeping an eye on the Sent/Spam folder.

If you start seeing emails in your inbox from "mailer-daemon" or a bunch of returned/blocked emails, it's a good bet your own account has been compromised...

I get the feeling we are going to be reading about this in the news later this week...

Evernote had to do a mass reset of 50Million user account passwords yesterday when they detected a security break into their servers...
It seems the bad guys are having a push on hacking accounts at the moment..

The bulk of the emails I've received on my servers are originating from Romania/India with a few spread elsewhere. It appears that they are being sent out by a rather large botnet.

I am not 100% convinced that these accounts have been compromised by brute force dictionary attacks/phishing... I definitely smell a security hack at Yahoo...

Chris


Register (or login) on our website and you will not see this ad.

Standard User bobble_bob
(experienced) Sun 03-Mar-13 13:37:43
Print Post

Re: Strange email (spoofing?)


[re: shinerweb] [link to this post]
 
Seems to be too many over a short period of time to be random brute force attacks.Ive now changed my password and deactivated my account, dont use it that much anyway

Edited by bobble_bob (Sun 03-Mar-13 13:38:26)

Standard User shinerweb
(newbie) Sun 03-Mar-13 13:59:30
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
I did a bit more research, it appears to be linked to a known XSS vulnerability that Yahoo alllegedly fixed a month ago... Perhaps not.
It relies on Yahoo (and therefore BT) users clicking on that link in the email.

See http://tnw.co/ZYZGnK (That's a http://thenextweb.com/ article btw !!)

I'm still not convinced it's a bit more sinister.. Another contact of mine has just been hacked and he swears blind he hasn't even opened his Yahoo/BT email in months and he definitely hasn't clicked on any links (And he uses Firefox and NoScript so the above exploit would not have worked in his case).

I just deleted all of my contacts from my Yahoo account and added a couple of honey traps to see if they pick up anything...

Chris

Standard User bobble_bob
(experienced) Sun 03-Mar-13 14:12:38
Print Post

Re: Strange email (spoofing?)


[re: shinerweb] [link to this post]
 
Yea i use Firefox/Noscripts and i only use my Yahoo mail account when ordering stuff from certain online stores, or signing up to forums so i wouldnt click a link randomly
Standard User bobble_bob
(experienced) Sun 03-Mar-13 14:17:29
Print Post

Re: Strange email (spoofing?)


[re: shinerweb] [link to this post]
 
The link in the email i was sent was for a website called "linkramps"

Doesnt seem a dodgy virus infested site going on a quick Google Search

Edited by bobble_bob (Sun 03-Mar-13 14:18:14)

Standard User Malwaremike
(member) Sun 03-Mar-13 14:32:28
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
I have connections with a charitable group and have received a couple of emails CC'd to many other members of the group. These are similar to the above and contain nothing but a link which led in one case to a magazine, in the other to a company site, both in the US and both apparently genuine. My mail is with BT/yahoo.

One of the emails resolves to Hanoi, Vietnam, the second to Indonesia, the third to India. Probably all spoofed. So what's going on here? If we click on the links does this simply confirm our addresses to the senders for spam or malware? I've done a full scan but Kaspersky sees nothing amiss.

EDITED TO ADD: This is hitting the BT forums http://community.bt.com/t5/Other-BB-Queries/BT-email...
Looks as if BT Yahoo may have been hit

Edited by Malwaremike (Sun 03-Mar-13 17:09:45)

Standard User clyde123
(learned) Sun 03-Mar-13 22:53:23
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
Yes, a customer had exactly the same thing - messages sent out at 0140 on Saturday morning. He swears PC was switched of, etc etc.
And Yes - it's a YAHOO email account.
Standard User Banger
(eat-sleep-adslguide) Mon 04-Mar-13 01:38:27
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
Strange. My Dad got an email from a Vicar he had contacted asking for money as she was stuck in the Philipinnes. It was a Yahoo email but hers was a blueyonder address. This was last week seems Yahoo is the scammers choice. He tried to phone her to warn her but just had to leave a message on her answer machine.

Tim
www.vivaciti.net & freenetname
Billion 7800 on 24 Meg Variety LLU
My Broadband Speed Test
Standard User bobble_bob
(experienced) Mon 04-Mar-13 16:48:45
Print Post

Re: Strange email (spoofing?)


[re: clyde123] [link to this post]
 
There was a security breach last year with 450,000 usernames/passwords stolen and posted online. Wonder if whoever now has them just decided to see which are still active?

Nice of Yahoo to tell people about the breach last year. First i heard of it was yesterday after Googling!

Edited by bobble_bob (Mon 04-Mar-13 16:49:15)

Standard User Malwaremike
(member) Mon 04-Mar-13 17:23:55
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
This appears to be a major incident but Yahoo/BT are keeping quiet about it, even removing reference to 'virus' from their status page. The BT forum now has eight pages of complaint since lunchtime yday frown
http://community.bt.com/t5/Other-BB-Queries/BT-email...
Standard User bobble_bob
(experienced) Mon 04-Mar-13 17:43:54
Print Post

Re: Strange email (spoofing?)


[re: Malwaremike] [link to this post]
 
virus just seems an excuse to shift blame from them onto us. No way a virus would just steal Yahoo account details and sent out the spam over a few days like we're seeing. Too many effected too quickly

Edited by bobble_bob (Mon 04-Mar-13 17:44:59)

Standard User Pipexer
(eat-sleep-adslguide) Mon 04-Mar-13 17:56:58
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
Saw an occurrence of this today. Someone's account compromised and all users in address book emailed with virus.

Machine they were using showing NO signs of virus or malware.

Sounds like BT/Yahoo systems have been compromised.

Zen 8000 Pro
Standard User camieabz
(sensei) Mon 04-Mar-13 19:32:49
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
A virus with a trigger date might, but it's unlikely to be that. More likely compromised systems with folk in their address book.

~ Camieabz ~

All Connection Data ~ Some plusnet links

mod'er·a'tion n.
Synonyms: temperance, restraint, modesty.
Standard User bobble_bob
(experienced) Mon 04-Mar-13 19:35:53
Print Post

Re: Strange email (spoofing?)


[re: camieabz] [link to this post]
 
By systems you mean BT/Yahoo? Because my system is clean and loads of other people saying the same, seems to be some security breach at their end
Standard User camieabz
(sensei) Mon 04-Mar-13 19:37:28
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
No I mean someone with a PC has been compromised, and their address book contents will be spammed.

~ Camieabz ~

All Connection Data ~ Some plusnet links

mod'er·a'tion n.
Synonyms: temperance, restraint, modesty.
Standard User bobble_bob
(experienced) Mon 04-Mar-13 19:46:58
Print Post

Re: Strange email (spoofing?)


[re: camieabz] [link to this post]
 
I think this is too big to be users PCs getting hit. This forum, the BT one linked and another i use have had these spam emails sent to contacts over the last few days. Yahoo you can see where login attempts have been made, and people are seeing their account accessed from all over Europe.

Seems specific to BT/Yahoo service and going on recent high profile security breaches i would guess this is another one

Edited by bobble_bob (Mon 04-Mar-13 19:48:48)

Standard User Malwaremike
(member) Tue 05-Mar-13 13:21:10
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
104 posts on the BT customer forum in 48 hours -- yet BT and Yahoo are still silent. However, just tried to log into Yahoo mail and got the following:

We are undertaking some essential, but extensive maintenance to improve Yahoo! Mail. During the maintenance period, some users may experience problems accessing Yahoo! Mail. We sincerely apologize for this inconvenience. Your account is in great shape and we are working to have it available again as quickly as possible.

Maybe yahoo is waking up at last?
Standard User Pipexer
(eat-sleep-adslguide) Tue 05-Mar-13 17:33:45
Print Post

Re: Strange email (spoofing?)


[re: Malwaremike] [link to this post]
 
Indeed - they are probably auditing all their accounts and systems for signs of malicious changes of settings, etc, and try and work out what happened.

Zen 8000 Pro
Standard User zelly
(newbie) Tue 05-Mar-13 22:07:45
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
went into my Yahoo account and got a few "delivery failed" messages which were the email addresses copied in that are probably no longer active.

This happened to my account. Someone in Croatia hacked in and used it to send spam.

What (if anything) can I do about it? Would changing the password stop it from happening again?
Standard User Pipexer
(eat-sleep-adslguide) Tue 05-Mar-13 22:20:30
Print Post

Re: Strange email (spoofing?)


[re: zelly] [link to this post]
 
Yes, it should do, but check ALL your account settings to make sure they have not been compromised.

Zen 8000 Pro
Standard User bobble_bob
(experienced) Tue 05-Mar-13 22:34:43
Print Post

Re: Strange email (spoofing?)


[re: Pipexer] [link to this post]
 
Nothing of mine had changed, but it does seem everyone who has been compromised had their account accessed from Bulgaria or Turkey using Yahoo Mobile
Standard User zelly
(newbie) Wed 06-Mar-13 12:52:31
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
Some people who changed their passwords are saying they're locked out of their accounts. So maybe it's a bad idea to change the password?
Standard User bowdon
(learned) Sun 10-Mar-13 14:51:16
Print Post

Re: Strange email (spoofing?)


[re: zelly] [link to this post]
 
This happened to 2 of my yahoo accounts also (i have 3 in total). I've not clicked on any spam link. I scanned my pc will full scan setting with both Avast and malwarebytes and both came up clean.

In my situation they seemed to spam email and CC me a copy too. As someone else stated they seem to spam a few email addresses. Some are valid friends emails and some seem to be made-up.

I changed my passwords on both accounts. Nothing since, though unfortunately some of my friends who were on spam list, tried to spam me back.

The commonality of all this does suggest that the yahoo mailing system is the common de-nominator. I suspect that they were compromised on a big scale and instead of telling people, admitting they were at fault, they have kept their head down since nothing happened immediately. Now it seems it as.

Hope they fix it soon. Change password if you can.

Freeserve -> Pipex -> Be
Standard User Malwaremike
(member) Sun 10-Mar-13 15:22:24
Print Post

Re: Strange email (spoofing?)


[re: bowdon] [link to this post]
 
Does seem as though Yahoo is the weak link, I've read there was a major breach in New Zealand last month. Here in the UK the BT Community forums have had 250 posts in one week http://community.bt.com/t5/Other-BB-Queries/BT-email...

And BT Yahoo, if you can get them seem to be saying it's the customer's fault. Their silence is deafening.
Standard User bobble_bob
(experienced) Sun 10-Mar-13 18:49:32
Print Post

Re: Strange email (spoofing?)


[re: Malwaremike] [link to this post]
 
Yahoo have come out now and admitted some of their accounts were compromised. The guy who works for BT who posts on that forum you linked so said so.

Me and a few others have now started getting silent calls and spam calls from international numbers that started a day or so after being hacked. Funny that!
Standard User bowdon
(learned) Sun 10-Mar-13 20:47:31
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
I just followed these instructions http://help.yahoo.com/kb/index?locale=en_US&y=PROD_A... to see the recent yahoo login activity of the email account and on mine someone from poland logged in on march 5th. At first via Yahoo! Mobile and then via the browser at 20:12. I logged back in 12 minutes after he did. It's worth a look though. I wish the history went back further though. I'm sure my 2nd email was compromised too but it only goes back to when I logged back in. So I cant see the offending hackers details.

Freeserve -> Pipex -> Be
Standard User zelly
(newbie) Mon 25-Mar-13 13:14:20
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
Anyone who's been hacked, tweet Channel 4 News

https://twitter.com/geoffwhite247

http://www.channel4.com/news/yahoos-email-system-hac...
Standard User bobble_bob
(experienced) Mon 25-Mar-13 19:25:51
Print Post

Re: Strange email (spoofing?)


[re: zelly] [link to this post]
 
So do we know how they did it?
Standard User blfamily
(eat-sleep-adslguide) Wed 27-Mar-13 21:31:16
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
Mine was hacked in Bangladesh - by Yahoo Mobile.3 weeks ago frown

Steve
final week of O2.
Standard User blfamily
(eat-sleep-adslguide) Wed 27-Mar-13 21:37:02
Print Post

Re: Strange email (spoofing?)


[re: shinerweb] [link to this post]
 
I only noticed because I had pop forwarding to Outlook, had the dodgy email address bounce, changed password then deleted account.

Steve
final week of O2.
Standard User wingco1
(legend) Fri 29-Mar-13 22:42:06
Print Post

Re: Strange email (spoofing?)


[re: blfamily] [link to this post]
 
Is it possible to cancel/delete a yahoo.co.uk email account?
Standard User cheshire_man
(knowledge is power) Fri 29-Mar-13 22:54:57
Print Post

Re: Strange email (spoofing?)


[re: wingco1] [link to this post]
 
Any help?

Tony
We have more and more laws, and less and less enforcement
Standard User wingco1
(legend) Fri 29-Mar-13 23:26:17
Print Post

Re: Strange email (spoofing?)


[re: cheshire_man] [link to this post]
 
Thanks very much smile
Standard User reserved
(fountain of knowledge) Thu 06-Jun-13 08:45:35
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
Sorry to resurrect an old thread but this has just happened to my Yahoo email account, exactly the same as bobble_bob describes.

Dennis
plusnet Unlimited & talkanytime
Standard User clyde123
(learned) Thu 06-Jun-13 12:53:13
Print Post

Re: Strange email (spoofing?)


[re: reserved] [link to this post]
 
This has never stopped. Never even really died down. These messages from yahoo accounts have continued ever since it was first reported. Then the same has more recently been happening with BT email accounts.
News the other day that BT is separating itself away from using Yahoo. I'm assuming this email spam situation is at least part of the reason.
FWIW, it seems that the problem lies on the yahoo / BT email servers, and that the spam is not directly coming from individuals' PCs.
Standard User trolleybus
(member) Fri 07-Jun-13 18:56:46
Print Post

Re: Strange email (spoofing?)


[re: clyde123] [link to this post]
 
In reply to a post by clyde123:
This has never stopped. Never even really died down. These messages from yahoo accounts have continued ever since it was first reported. Then the same has more recently been happening with BT email accounts.
News the other day that BT is separating itself away from using Yahoo. I'm assuming this email spam situation is at least part of the reason.
FWIW, it seems that the problem lies on the yahoo / BT email servers, and that the spam is not directly coming from individuals' PCs.


OK then, what is the perceived wisdom on the course of action that should be taken when you discover you are a victim?
Standard User caffn8me
(knowledge is power) Sat 08-Jun-13 13:00:34
Print Post

Re: Strange email (spoofing?)


[re: trolleybus] [link to this post]
 
If the compromise is due to the theft of passwords - http://edition.cnn.com/2012/07/12/tech/web/yahoo-use... - you should change your password to something else and you should be OK untill Yahoo gets hacked again.

It seems Yahoo hasn't really sorted itself out yet though. Up to 22 million Yahoo Japan passwords were hacked last month; http://www.wired.co.uk/news/archive/2013-05/20/yahoo...

As well as changing password and doing a virus/malware scan on you PC you could also change email providers to one with a better record on password security.

Good luck!

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Sat 08-Jun-13 13:14:49
Print Post

Re: Strange email (spoofing?)


[re: caffn8me] [link to this post]
 
One thing worth mentioning is that sometimes an email which purports to come from a particular account hasn't. If a friend of the account holder gets their email account and address book hacked, the emails sent out by the hacker may be sent with the identity of anyone in the address book.

They usually spam others in the same address book on the basis that two people whose email addresses are in the same address book are more likely to know each other and therefore view emails with less suspicion.

I used to get emails apparently from my own email account but that was impossible. Looking at the full email headers showed that the emails didn't come from any of my mail servers but it was just my address which was being used by a third party sent via a hacked PC.

I've now put a stop to these sort of emails by specifying which email servers may send email from my domain (SPF record for the curious). Anything sent from an unauthorized server is rejected. Some email providers also use SPF to filter out incoming messages dropping those which come from places they shouldn't.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User bobble_bob
(experienced) Sat 08-Jun-13 22:51:29
Print Post

Re: Strange email (spoofing?)


[re: caffn8me] [link to this post]
 
The latest thinking going on the BT thread about this issue, is that Yahoo arent actually getting hacked every single time, and instead its some unknown security flaw in Yahoo's servers that means they can get access to your account even without knowing the password.

If thats the case, then nothing the end user can do
Standard User caffn8me
(knowledge is power) Sun 09-Jun-13 10:05:24
Print Post

Re: Strange email (spoofing?)


[re: bobble_bob] [link to this post]
 
In reply to a post by bobble_bob:
If thats the case, then nothing the end user can do
except change provider.

I did get to the stage a while back of nearly blocking all incoming email from Yahoo as it was almost all spam and, worse still, it's near impossible to report spam abuse to Yahoo. Reports sent to abuse@yahoo.com and abuse@yahoo.co.uk fail (a breach of RFC 2142).

I raised the issue with Yahoo UK, got an acknowledgement and then nothing. Yahoo doesn't take abuse originating from its servers seriously.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User cheshire_man
(knowledge is power) Sun 09-Jun-13 12:30:48
Print Post

Re: Strange email (spoofing?)


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
Yahoo doesn't take abuse originating from its servers seriously.
Perhaps rename it Ya-Boo wink

Tony
We have more and more laws, and less and less enforcement
Standard User bobble_bob
(experienced) Sun 09-Jun-13 22:12:52
Print Post

Re: Strange email (spoofing?)


[re: caffn8me] [link to this post]
 
Before i disabled my account due to all this, i had the Yahoo spam filter block a message and sent it to junk mail folder. The sender? Yahoo customer services laugh Was genuine aswell
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to