Hello my friends!
Some of you have recieved e-mail from me (Aleh Hladzilin), but it's not from me. Please don't open link, it is a virus (I think).
Thanks.

I already told this to Aleh via PM, but I figured maybe other Yahoo! Mail users should be warned.

Read this if you are using Yahoo! Mail.

If you have a suspicion that someone is accessing your Yahoo! Mail account, you could "View your recent sign-in activity" to verify by country or by IP (more info below). Then change your password immediately.

So, it turns out that it wasn't malware that is going around stealing Yahoo! passwords (e.g., computer virus, keylogger, spyware or any other malicious program that logs all the pressed keys to get a victim's password). These hackers are using a simple (and legal) mobile application that access Yahoo! Mail called "Yahoo! Mobile". Normally, you need the account's password, but apparently there is a bug in that application that gives them access without the password and once in, the application might even give them the actual password (or maybe they modified the app). Then, they send spam to your contacts (and/or anybody on your "Sent" folder).

The main problem is that "Yahoo! Mobile" is active by default for old Yahoo! accounts, which means that this application is authorized to access your account without your permission.

The good news is that this can be fixed to avoid hacks in the future. Here's how to remove "Yahoo! Mobile" from the authorized Apps in your Yahoo! account:
1.- Sign in to Yahoo! making sure it is really mail(dot)yahoo(dot)com and not a phishing website
2.- Hover on "Hi, Your Name" on the top-right corner to get to "Account Info" (this will open a new window/tab and Yahoo! will ask you to verify your password)
3.- In the "Account Information page", select "Manage Apps and Website Connections" (by the way, later you can come back here and select "View your recent sign-in activity", if you are curious).
4.- In the "Manage App and Website Connections" page, click on "Remove" next to "Yahoo! Mobile"
5.- Click on "Back to Account Info" and then "Mail" on the top (or close the new window/tab) to get back to the main Yahoo! Mail page.

By the way, apparently Yahoo! is aware of this because new accounts have that option inactive by default (it says "Currently you have no app or website connections").

Peace,

Skarabajo.

I received this email and clicked on the link since I know and trust Aleh. As stated it was spam so does that mean I am safe? It wasn't a Yahoo account btw. Naturally I will do a virus scan though AVG seems quite poor these days.

Tony, when I first got one of these spam emails (not from Aleh, it was another Yahoo! Mail user), I opened the link in a safe environment (using a computer that has DeepFreeze) and it turned out to be a broken link, so nothing happened. Please keep us posted about the outcome of this spam link. I am curious about it.

Skarabajo.

You're probably safe Tony. The decay in quality of AV is not just in your imagination and AVG isn't unique in this regard. All AV is struggling.

Yahoo has had numerous account hijack issues for several years now. This is just the latest round of them.

Perhaps somebody could post the full email with headers?

I had to remove the actual email addresses.



Delivered-To: XXXXXXX@gmail.com
Received: by 10.58.211.194 with SMTP id ne2csp139230vec;
Tue, 26 Feb 2013 10:17:21 -0800 (PST)
X-Received: by 10.60.28.228 with SMTP id e4mr2426625oeh.111.1361902641623;
Tue, 26 Feb 2013 10:17:21 -0800 (PST)
Return-Path: <XXXXXXX@yahoo.com>
Received: from nm16-vm3.bullet.mail.ne1.yahoo.com (nm16-vm3.bullet.mail.ne1.yahoo.com. [98.138.91.146])
by mx.google.com with ESMTPS id h4si2176096obn.80.2013.02.26.10.17.21
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 26 Feb 2013 10:17:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of XXXXXXX@yahoo.com designates 98.138.91.146 as permitted sender) client-ip=98.138.91.146;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of XXXXXXX@yahoo.com designates 98.138.91.146 as permitted sender) smtp.mail=XXXXXXX@yahoo.com;
dkim=pass header.i=@yahoo.com
Received: from [98.138.226.178] by nm16.bullet.mail.ne1.yahoo.com with NNFMP; 26 Feb 2013 18:17:20 -0000
Received: from [98.138.89.195] by tm13.bullet.mail.ne1.yahoo.com with NNFMP; 26 Feb 2013 18:17:20 -0000
Received: from [127.0.0.1] by omp1053.mail.ne1.yahoo.com with NNFMP; 26 Feb 2013 18:17:20 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 746233.93795.bm@omp1053.mail.ne1.yahoo.com
Received: (qmail 83929 invoked by uid 60001); 26 Feb 2013 18:17:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1361902640; bh=Ht8ufjam3z+X8LIaCYfVEqyqe8DKiURkOZOKe+0YkaY=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=K37dcDUJvVT8NB6nOQXpAmPXUKgC1PROamDjLWkOQ4u0RcdEPsstmS7odweAKzIFI5WKRXlt9LMUlQzMdNZq118el7EkBkrijUhO8dglHFOlAy9/4BP1GKzsl/K0o07VyA5JrZood/HCCrkla0todmW62oUorcYiNx6PTInC99E=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=06Z+QoTt7tJqWLspbgbs4daDYnF0dJ1GDZszrEdAaZLgOISmXHjU5dWpr9nLw9U7FH12d2vdpsaRU5dnyfmijoaLqeSPSAnYoHkvSRWmsobgpGcBWLdHQ+lWbHaZwq819ejAAhszt7e8GGX26m3ps09AOeN5V5JlhxWdcpfrSCM=;
X-YMail-OSG: dSyGR6kVM1nFDZdy2xFvDVAzxr1XOd5zBBV90OhDjoed6bR
raJTSiJO.p7gna8EjBGfmd0QtHeBrMIjGWk65bC.r9vyW5zdMOiBYrZD7hKP
34isP3UGt.i0VKHdXPh9v3uvyue2ATJDjCbr_RUPxb0SQ3NJ7tosWUe0yn09
xDq9kH1TDlMayZTPBb53B96M7.0XPf22OlrYhCxgnxcuSgZSqClCV9wkZexS
hzpY9NB5hLNkDRk77BOm2MaSQtXCHwFuDF6Jqz7mzxB2tVZTb5L4RZyEnjhY
TLsle9gwRF4wQJJa6.rX0SHhgcooOpE46gWPZWC2OpLDLOtUayAr6uR8_9ui
mk3DkmJsDJ.LSoFrjZotitR66VgJazuJkt4mdRIb8pwce2R2_k.xdptFs211
bJYAbf.05jSNA6B7vshgdLIuywduSXg5xRa7Ef6n2_d0HeZZLpIkvuQtUoXi
zFodDauqAZAwp44wR8.qxNTuaaBjGVeDaapAQ6UhpBErw3cVwRVwOyhX_B8P
PI79R9pvvePsxCDbLIvSThvqF64gS_P8Wd60QPzr6w7RuY4EeF1sIjjnCd9b
D1H_pgtQKM0vyQJ76yHV1SGvXHO4Dm4eyyI.t2OPxsDTZLs47Xtm3sg--
Received: from [180.215.45.228] by web124903.mail.ne1.yahoo.com via HTTP; Tue, 26 Feb 2013 10:17:20 PST
X-Rocket-MIMEInfo: 001.001,Jm5ic3A7aHR0cDovL3lhbmR1cGlzbGFuZC5jb20vc2dsa2V5L3FrczF1bW13ND9wNWp5b2lidjB6NTR0NGkwZmkyeGlhJm5ic3A7Jm5ic3A7Jm5ic3A7IAombmJzcDsmbmJzcDsmbmJzcDsgCiZuYnNwO0FsZWggSGxhZHppbGluCgEwAQEBAQ--
X-Mailer: YahooMailWebService/0.8.135.514
Message-ID: <1361902640.82375.YahooMailNeo@web124903.mail.ne1.yahoo.com>
Date: Tue, 26 Feb 2013 10:17:20 -0800 (PST)
From: Aleh Hladzilin <XXXXXXX@yahoo.com>
Reply-To: Aleh Hladzilin <XXXXXXX@yahoo.com>
Subject: Aleh Hladzilin
To: XXXXXXX <XXXXXXX@gmail.com>, XXXXXXX <XXXXXXX@hotmail.com>,
XXXXXXX <XXXXXXX@mms.att.net>, XXXXXXX <XXXXXXX@mefferts.com>,
XXXXXXX <XXXXXXX@gmail.com>, XXXXXXX <XXXXXXX@gmail.com>,
XXXXXXX <XXXXXXX@mefferts.com>, XXXXXXX <XXXXXXX@hotmail.com>,
XXXXXXX <XXXXXXX@gmail.com>,
XXXXXXX <XXXXXXX@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-904242613-41921432-1361902640=:82375"

---904242613-41921432-1361902640=:82375
Content-Type: text/plain; charset=us-ascii

&nbsp;http://yandupisland.com/sglkey/qks1ummw4?p5jyoibv0z54t4i0fi2xia&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;
&nbsp;Aleh Hladzilin

---904242613-41921432-1361902640=:82375
Content-Type: text/html; charset=us-ascii

<html><body><div style="color:#000; background-color:#fff; font-family:tahoma, new york, times, serif;font-size:10pt"><span style="font-size: 18px;">&nbsp;</span><span style="font-size: 16px;"><a href="http://yandupisland.com/sglkey/qks1ummw4?p5jyoibv0z54t4i0fi2xia">http://yandupisland.com/sglkey/qks1ummw4?p5jyoibv0z54t4i0fi2xia</a></span><div><span class="tab">&nbsp;&nbsp;&nbsp; </span><br><span class="tab">&nbsp;&nbsp;&nbsp; </span><br><span class="tab"><span style="font-size: 18px;">&nbsp;Aleh Hladzilin</span><br></span></div></div></body></html>
---904242613-41921432-1361902640=:82375--

Fortunately that email doesn't contain any malware or exploit. The link (hxxp://yandupisland.com/sglkey/qks1ummw ... t4i0fi2xia) is the intended payload. It seems like yandupisland.com is a legitimate site that has been compromised (pretty typical). I don't know what exploit the site is attempting since all of the requests I've tried result in a 302 redirect. I suspect the site is targeting a specific user-agent string or doing other filtering such as looking for a referer coming for Yahoo.

The site has been compromised since at least the 15th since I've seen a request to hxxp://yandupisland.com/fajm/su4yqqj5=v ... t0b4pv2ajl which also does a 302 redirect.

The perpetrator that logged into the Yahoo webmail interface to send the email was 180.215.45.228 which is located in India. That IP has been observed participating in fast flux DNS. for example:


So it's most likely just botted.

I can't find any more info on the botnet(s) being used or the exploit they may be delivering to some users.

Keep your OS up-to-date (do Windows update), and make sure you've either removed Java or updated to the latest release.