Researchers at Australia-based BitDefender say they’ve found how some Yahoo Mail accounts are being hijacked, and it leads back to “buggy” blog software Yahoo’s developers used.
For about a month Yahoo Mail account holders have been falling for a scam in which they click on a short link that appears to take them to an MSN/NBC News site. However, it actually is linked to the domain com-im9.net that is registered in the Ukraine and hosted at a data center in Cyprus. A page on the bogus site includes a piece of malicious Javascript masquerading as a Lightbox library, according to a news release issued today. The code connects with the user’s contacts and sends spam under his or her name.
The attack also relies on retrieving session cookies via a subdomain, which attackers were able to access by exploiting a 9-month-old Cross-Site Scripting flaw — CVE-2012-3414 — in the WordPress blog software used by Yahoo developers. That vulnerability was fixed when WordPress version 3.3.2 was released in April 2012.
“Since it is located on a sub-domain of the yahoo.com website, all the attackers need to do is trigger the bug and pass a command that steals the cookie, and then send it ‘home,'” according to the release. “At this point, miscreants have full access to the victim’s contact list until the current session expires or the user logs out. Crooks will either spam the contacts in the stolen lists (which may include friends, family, business contacts, and professors) or use these contacts to send spam e-mails and/or malware in the name of the crook.”
The company advises users to take the usual precautions: sign out when you’re done reading or writing e-mails, only click trustworthy links and keep up with antivirus updates and patches.