Yahoo Blog Hijacked, Bitdefender Says
An email-based attack has been hijacking Yahoo accounts, security software company Bitdefender Labs has reported.
The security firm warned that a spam wave that has been circulating for roughly a month has been stealing Yahoo login credentials by exploiting an old vulnerability in a component of the Yahoo Developers blog.
The spam message features a bit.ly shortened URL that takes the user to a web page impersonating the popular MSNBC page, but which turns out to be located on a series of subdomains on hxxp://com-im9.net.
Whois information for the domain reveals it was bought in Ukraine and hosted in a data center in Nicosia, Cyprus, Bitdefender says.
Once the user lands on the alleged MSNBC page, a piece of JavaScript code inside tries to exploit a known vulnerability (CVE-2012-3414) in the SWF Uploader component on the Yahoo Developers Blog, which is powered by WordPress.
Since the exploitable component is located on a sub-domain of the target website, the same-origin policy does not prevent the exploit code access to cookies, which are subsequently sent to the attacker. Once they have the log-in cookie, they can authenticate into the victim's account and send spam or harvest contacts' e-mail addresses for other spam campaigns.
Bitdefender's experts believe this is the account recruitment stage of the operation and we expect the next wave of messages to feature links to malware.
Bitdefender said it had notified Yahoo about the incident and had provided the proof-of-concept documentation.
The spam message features a bit.ly shortened URL that takes the user to a web page impersonating the popular MSNBC page, but which turns out to be located on a series of subdomains on hxxp://com-im9.net.
Whois information for the domain reveals it was bought in Ukraine and hosted in a data center in Nicosia, Cyprus, Bitdefender says.
Once the user lands on the alleged MSNBC page, a piece of JavaScript code inside tries to exploit a known vulnerability (CVE-2012-3414) in the SWF Uploader component on the Yahoo Developers Blog, which is powered by WordPress.
Since the exploitable component is located on a sub-domain of the target website, the same-origin policy does not prevent the exploit code access to cookies, which are subsequently sent to the attacker. Once they have the log-in cookie, they can authenticate into the victim's account and send spam or harvest contacts' e-mail addresses for other spam campaigns.
Bitdefender's experts believe this is the account recruitment stage of the operation and we expect the next wave of messages to feature links to malware.
Bitdefender said it had notified Yahoo about the incident and had provided the proof-of-concept documentation.