Why Yahoo Mail Accounts Are Being Hijacked

A screen grab of an email from a hijacked Yahoo account, with a link to a malicious page meant to take over the recipient's account as well.

A festering flaw left unpatched on Yahoo's website may be the reason you've been getting an unusual amount of spam from friends' accounts lately.

The complicated, crafty process takes several steps, but works almost instantly. It ends up with bad guys in Eastern Europe nabbing Yahoo Mail accounts.

As detailed by Romanian security firm Bitdefender, it begins when a computer user gets an email or tweet with a link, sometimes shortened, to what seems to be a story on MSNBC.com or NBCNews.com offering job-hunting tips. (TechNewsDaily has professional relationships with MSNBC.com and NBCNews.com.)

A quick glance at the phony page is enough for the user's browser to be silently hit with hidden JavaScript, which in turn reaches out to a Yahoo page created especially for developers.

The Yahoo developers' page, created by WordPress, contains a software flaw that lets the bad guys' malicious script check the user's browser to see whether he or she is currently logged into a Yahoo account.

If so, then the malicious script steals the Yahoo session "cookies" from the browser and hands them off to the miscreants, who then use the account to pump out spam.

(The bad guys don't appear to be changing user passwords. But if your account gets hijacked, change your password immediately and then log off.)

The spam includes email messages meant to snare the passwords of even more Yahoo Mail users, starting the entire cycle again.

In a statement yesterday (Jan. 31), Yahoo said it had "learned of a vulnerability from an external security firm" and fixed the flaw.

One, two, three, four

Let's check off the common deceptions combined in this attack:

— A shortened URL, which can fool many people into going someplace they shouldn't. Unfortunately, shortened URLs are unavoidable these days, but one should be especially wary when they come embedded in an unsolicited email.

— A webpage which mimics the look of a commonly visited site and even tries to mimic the real URL. In the case cited by Bitdefender, the site's URL was at www.msnbc.msn.com-im9.net.

Bitdefender found that the com-im9.net domain name was registered in the Ukraine last Sunday (Jan. 27) and is hosted in Cyprus. Bad sign.

Emails received by this reporter included unshortened links to a similar domain name.

— Hidden webpage code which triggers a drive-by download. Malicious code is found on plenty of "real" webpages as well, and is especially a problem with third-party ads that site administrators have little control over.

— A flaw in WordPress, the frequently attacked blogging platform. The non-profit company that makes WordPress software is constantly updating it to stay ahead of hackers, but many WordPress users don't bother to apply updates.

[How Hackers Hijack WordPress Blogs — and How to Stop Them]

Who's to blame?

Ultimately, this is Yahoo's fault. The company should have kept up on the latest WordPress updates, especially when using WordPress to host a forum for software developers.

The specific vulnerability that let these latest account hijacks happen was patched by WordPress in April 2012, nearly nine months ago.

Yahoo's had a rough patch lately in terms of user security. In June, 450,000 unencrypted usernames and passwords were stolen from a Yahoo subdomain.

In November, a cookie-stealing exploit for Yahoo, apparently unrelated to this latest one, appeared in hacker forums. It was still in action in early January.

The company recently gave users the option to enable full-time HTTPS, or secure communications, with the Yahoo site. In December 2011, it offered two-step verification, which texts a code to the user's mobile phone when a login attempt is made from an unfamiliar computer.

Unfortunately, neither of those features prevents cookie-stealing. Once a user's logged into Yahoo, he's logged into all Yahoo sites. (Google works the same way.)

The way to avoid cookie-stealing is to always log out of Yahoo Mail (and any other online account) when you're done using it. That ends your session and renders the session cookies useless.

Users should also routinely check the URLs of websites to make sure the sites are what they're supposed to be. If you land on a fake one, you'll be lucky if all it does is advertise a weight-loss cream.

This story was provided by TechNewsDaily, sister site to LiveScience.

Copyright 2013 LiveScience, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.