Tuesday, January 8, 2013
Yesterday, news came out about a Yahoo! Mail vulnerability that supposedly compromised a large set of their users' accounts. The exploit's approach was typical of email-borne attacks: the potential victim gets a suspicious email in their mailbox with a URL in it, which, if clicked on, directs the user to a Web page operated by the hacker. In this case, the hacker's page then stealthily captures data from the user's active Yahoo! Mail session and uses it to start a session of their own, using the victim's account to send emails with malicious links to the contacts in the account's address book.
Here is the YouTube video demostrating the attack. It was posted by the hacker who reportedly discovered the vulnerability.
Late last night, Yahoo! indicated that they have fixed the vulnerability that made this attack possible. Users who think they may have been affected are encouraged to update to a stronger password as soon as they can.
There was also concern yesterday that, because of the ongoing exploit, delivery of messages into Yahoo! Mail system may have been hampered as their team tried to address the vulnerability and prevent more users from getting the malicous emails. We did not see any particular slowdown here at ExactTarget when sending to Yahoo! yesterday, nor did we hear any such reports from our friends in the industry, so it appears that the inflow of messages to Yahoo! was not impacted.
In any case, such attacks on webmail providers and their users aren't new. As anti-spam filters get better and better at detecting unsolicited emails from unwanted sources, black-hat hackers and spammers are always trying new ways to leverage the trust inherent in the social connections stored in our email accounts.
The lesson here, of course, is to not blindly trust any links you receive in emails. Only click on links if you are familiar with the sender and if there is enougn context in the message that makes it relevant to you.
UPDATE 01:00 PM EST 01-09-2013: In a follow-up post, The Next Web wrote that, even after Yahoo! indicated that the vulnerability was plugged, compromising a Yahoo! Mail account was still possible with just a slight modification to the original attack.
Learn more about how ExactTarget can help you hit the inbox by visiting our Deliverability Services page.