Strange email (spoofing?)

Got a few different email accounts, and just got an email sent to my Hotmail account from my Yahoo Account. Subject was just my name, and had some dodgy link which i didnt click. I looked and a few other addresses were copied into the message (from what i can see, websites ive used to buy things from using that email address).

Anyway went into my Yahoo account and got a few "delivery failed" messages which were the email addresses copied in that are probably no longer active. No sign that my Yahoo account has been hacked and PC scan is clean.

Few weird things tho - Dunno how they got my password. Its unique to just that email address and isnt used for anything else, PC is clean and plus i hardly type it in as its auto log in. Email wasnt sent to all contacts but only a few (plus a fake email address ive never heard of). Normally they just mass email the whole contact list. Nothing in sent or deleted items (i know these can be deleted tho)

So is it just someone spoofing my email address or what?

To add, 2 other people on another forum had this happen to them within the last 24 hours. Something going on with Yahoo Mail?

I'd concur that something strange is definitely going on with Yahoo.

I've now received a whole series of Spamvertised links within emails from Yahoo users, but strangely, I've also recevied them from multiple BT Internet users...
BT Internet uses the Yahoo email system.

Some of the BT Users are people I know wouldn't fall for phishing.

I've had 100's of these emails hit my servers over the past 3 days when it first started from over 50 different yahoo accounts.

I've got a Yahoo account myself, and have had a quick look but nothing there so far.
In a previous security breach, the hackers would login to your Yahoo account, send the email and you could see it in your "Sent" folder.
A later version of the hack would delete the message from your "Sent" folder to try and hide it, but you could then find it in your "Trash" folder.

If you have a Yahoo account, it is worth changing the password to a strong/secure password, and keeping an eye on the Sent/Spam folder.

If you start seeing emails in your inbox from "mailer-daemon" or a bunch of returned/blocked emails, it's a good bet your own account has been compromised...

I get the feeling we are going to be reading about this in the news later this week...

Evernote had to do a mass reset of 50Million user account passwords yesterday when they detected a security break into their servers...
It seems the bad guys are having a push on hacking accounts at the moment..

The bulk of the emails I've received on my servers are originating from Romania/India with a few spread elsewhere. It appears that they are being sent out by a rather large botnet.

I am not 100% convinced that these accounts have been compromised by brute force dictionary attacks/phishing... I definitely smell a security hack at Yahoo...

Chris

Seems to be too many over a short period of time to be random brute force attacks.Ive now changed my password and deactivated my account, dont use it that much anyway

Edited by bobble_bob (Sun 03-Mar-13 13:38:26)

I did a bit more research, it appears to be linked to a known XSS vulnerability that Yahoo alllegedly fixed a month ago... Perhaps not.
It relies on Yahoo (and therefore BT) users clicking on that link in the email.

See http://tnw.co/ZYZGnK (That's a http://thenextweb.com/ article btw !!)

I'm still not convinced it's a bit more sinister.. Another contact of mine has just been hacked and he swears blind he hasn't even opened his Yahoo/BT email in months and he definitely hasn't clicked on any links (And he uses Firefox and NoScript so the above exploit would not have worked in his case).

I just deleted all of my contacts from my Yahoo account and added a couple of honey traps to see if they pick up anything...

Chris

Yea i use Firefox/Noscripts and i only use my Yahoo mail account when ordering stuff from certain online stores, or signing up to forums so i wouldnt click a link randomly

The link in the email i was sent was for a website called "linkramps"

Doesnt seem a dodgy virus infested site going on a quick Google Search

Edited by bobble_bob (Sun 03-Mar-13 14:18:14)

I have connections with a charitable group and have received a couple of emails CC'd to many other members of the group. These are similar to the above and contain nothing but a link which led in one case to a magazine, in the other to a company site, both in the US and both apparently genuine. My mail is with BT/yahoo.

One of the emails resolves to Hanoi, Vietnam, the second to Indonesia, the third to India. Probably all spoofed. So what's going on here? If we click on the links does this simply confirm our addresses to the senders for spam or malware? I've done a full scan but Kaspersky sees nothing amiss.

EDITED TO ADD: This is hitting the BT forums http://community.bt.com/t5/Other-BB-Queries/BT-email...
Looks as if BT Yahoo may have been hit

Edited by Malwaremike (Sun 03-Mar-13 17:09:45)

Yes, a customer had exactly the same thing - messages sent out at 0140 on Saturday morning. He swears PC was switched of, etc etc.
And Yes - it's a YAHOO email account.

Strange. My Dad got an email from a Vicar he had contacted asking for money as she was stuck in the Philipinnes. It was a Yahoo email but hers was a blueyonder address. This was last week seems Yahoo is the scammers choice. He tried to phone her to warn her but just had to leave a message on her answer machine.

There was a security breach last year with 450,000 usernames/passwords stolen and posted online. Wonder if whoever now has them just decided to see which are still active?

Nice of Yahoo to tell people about the breach last year. First i heard of it was yesterday after Googling!

Edited by bobble_bob (Mon 04-Mar-13 16:49:15)

This appears to be a major incident but Yahoo/BT are keeping quiet about it, even removing reference to 'virus' from their status page. The BT forum now has eight pages of complaint since lunchtime yday
http://community.bt.com/t5/Other-BB-Queries/BT-email...

virus just seems an excuse to shift blame from them onto us. No way a virus would just steal Yahoo account details and sent out the spam over a few days like we're seeing. Too many effected too quickly

Edited by bobble_bob (Mon 04-Mar-13 17:44:59)

Saw an occurrence of this today. Someone's account compromised and all users in address book emailed with virus.

Machine they were using showing NO signs of virus or malware.

Sounds like BT/Yahoo systems have been compromised.

A virus with a trigger date might, but it's unlikely to be that. More likely compromised systems with folk in their address book.

By systems you mean BT/Yahoo? Because my system is clean and loads of other people saying the same, seems to be some security breach at their end

No I mean someone with a PC has been compromised, and their address book contents will be spammed.

I think this is too big to be users PCs getting hit. This forum, the BT one linked and another i use have had these spam emails sent to contacts over the last few days. Yahoo you can see where login attempts have been made, and people are seeing their account accessed from all over Europe.

Seems specific to BT/Yahoo service and going on recent high profile security breaches i would guess this is another one

Edited by bobble_bob (Mon 04-Mar-13 19:48:48)

104 posts on the BT customer forum in 48 hours -- yet BT and Yahoo are still silent. However, just tried to log into Yahoo mail and got the following:

We are undertaking some essential, but extensive maintenance to improve Yahoo! Mail. During the maintenance period, some users may experience problems accessing Yahoo! Mail. We sincerely apologize for this inconvenience. Your account is in great shape and we are working to have it available again as quickly as possible.

Maybe yahoo is waking up at last?

Indeed - they are probably auditing all their accounts and systems for signs of malicious changes of settings, etc, and try and work out what happened.

In reply to a post by bobble_bob:

went into my Yahoo account and got a few "delivery failed" messages which were the email addresses copied in that are probably no longer active.

This happened to my account. Someone in Croatia hacked in and used it to send spam.

What (if anything) can I do about it? Would changing the password stop it from happening again?

Yes, it should do, but check ALL your account settings to make sure they have not been compromised.

Nothing of mine had changed, but it does seem everyone who has been compromised had their account accessed from Bulgaria or Turkey using Yahoo Mobile

Some people who changed their passwords are saying they're locked out of their accounts. So maybe it's a bad idea to change the password?

This happened to 2 of my yahoo accounts also (i have 3 in total). I've not clicked on any spam link. I scanned my pc will full scan setting with both Avast and malwarebytes and both came up clean.

In my situation they seemed to spam email and CC me a copy too. As someone else stated they seem to spam a few email addresses. Some are valid friends emails and some seem to be made-up.

I changed my passwords on both accounts. Nothing since, though unfortunately some of my friends who were on spam list, tried to spam me back.

The commonality of all this does suggest that the yahoo mailing system is the common de-nominator. I suspect that they were compromised on a big scale and instead of telling people, admitting they were at fault, they have kept their head down since nothing happened immediately. Now it seems it as.

Hope they fix it soon. Change password if you can.

Does seem as though Yahoo is the weak link, I've read there was a major breach in New Zealand last month. Here in the UK the BT Community forums have had 250 posts in one week http://community.bt.com/t5/Other-BB-Queries/BT-email...

And BT Yahoo, if you can get them seem to be saying it's the customer's fault. Their silence is deafening.

Yahoo have come out now and admitted some of their accounts were compromised. The guy who works for BT who posts on that forum you linked so said so.

Me and a few others have now started getting silent calls and spam calls from international numbers that started a day or so after being hacked. Funny that!

I just followed these instructions http://help.yahoo.com/kb/index?locale=en_US&y=PROD_A... to see the recent yahoo login activity of the email account and on mine someone from poland logged in on march 5th. At first via Yahoo! Mobile and then via the browser at 20:12. I logged back in 12 minutes after he did. It's worth a look though. I wish the history went back further though. I'm sure my 2nd email was compromised too but it only goes back to when I logged back in. So I cant see the offending hackers details.

Anyone who's been hacked, tweet Channel 4 News

https://twitter.com/geoffwhite247

http://www.channel4.com/news/yahoos-email-system-hac...

So do we know how they did it?

Mine was hacked in Bangladesh - by Yahoo Mobile.3 weeks ago

I only noticed because I had pop forwarding to Outlook, had the dodgy email address bounce, changed password then deleted account.

Is it possible to cancel/delete a yahoo.co.uk email account?

Any help?

Thanks very much