Feeds & Podcasts
Blogs
- Consumer (478)
- Corporate (155)
- Enterprise (466)
- McAfee Labs (1126)
Meet the Bloggers
- Abhishek Karnik
- Adam Pridgen
- Adam Wosotowsky
- Aditya Kapoor
- Ahmed Sallam
- Alex Hinchliffe
- Allysa Myers
- Anil Ramabhatta
- Anindita Mishra
- Anna Stepanov
- Apurv Anand
- Arun Pradeep
- Arun Sabapathy
- Avelino Rico Jr
- Ben Edelman
- Bhaskar Krishna
- Bing Sun
- Brad Antoniewicz
- Brant Yaeger
- Brenda Moretto
- Brian Kenyon
- Brian Mann
- Carlos Castillo
- Cedric Cochin
- Chen Yu
- Chintan Shah
- Chris Barton
- Craig Schmugar
- Cyber Mum Australia
- Dan Sommer
- Dave Klenske
- David Marcus
- David Rayhawk
- David Scharoun
- Dennis Elser
- Denys Ma
- Di Tian
- Dirk Kollberg
- Dmitry Gryaznov
- Dr. Phyllis Schneck
- DThakkar
- Editor
- Elodie Grandjean
- Eric Peterson
- Eric Schou
- Federico Barbieri
- Felix Martinez
- Francie Coulter
- Francisca Moreno
- Francois Paget
- Gabriel Acevedo
- Gaith Taha
- Gary Davis
- Gavin Struthers
- Geok Meng Ong
- Georg Wicherski
- George Kurtz
- Gert Jan Schenk
- Girish Pillai
- Guilherme Venere
- Haowei Ren
- Harish Garg
- Hiep Dang
- HongZheng Zhou
- Igor Muttik
- James Duldulao
- James Galpin
- Jan Volzke
- Jeremy Gilliat
- Jim Walter
- Jimmy Kuo
- Jimmy Shah
- Joe Telafici
- Joel Spurlock
- Joey Koo
- John Dasher
- Jon Paterson
- Jonathan Zdziarski
- Juan Bocanegra
- Karthik Raman
- Kevin Beets
- Kevin McGhee
- Kevin Watkins
- Kim Eichorn
- Lang Tibbils
- Latha Ramasamy
- Lianne Caetano
- Lokesh Kumar
- Madhurima Pawar
- Marc Olesen
- Marius van Oers
- Mark Olea
- Matthew Wollenweber
- Meirgen Krehs
- MFEChannelChief
- Micha Pekrul
- MihwaLee
- Mike Price
- Mohinder Gill
- Monty Ijzerman
- Nandi Kishore
- Navtej Singh
- Neha Joshi
- Nick Kelly
- Nikfar Khaleeli
- Nishad Herath
- Nitin Jyoti
- Nitin Kumar
- Oliver Devane
- PageOne Pr
- Paolo Palumbo
- Paras Gupta
- Patrick Comiotto
- Patrick Knight
- Paula Greve
- Pedro Bueno
- Peter Meyer
- Peter Szor
- Pradeep Govindaraju
- Prajwala Rao
- Prashanth PR
- Rachit Mathur
- Rafal Wojtczuk
- Rahul Kashyap
- Rahul Mohandas
- Raj Samani
- Ravi Balupari
- Rizwan Husain
- Robert Ross
- Robert Siciliano
- Rodney Andres
- Romain Levy
- Rusty Carter
- Ryan Permeh
- Sam Masiello
- Schalk Cronjé
- Seth Purdy
- Shane Keats
- Shannon Cole
- Sharath Veerabhadraswamy
- Shinsuke Honjo
- Simon Cooper
- Simon Hunt
- Stephen Karkula
- Stina Wikstrom
- Stuart McClure
- Sudarshan Swamy
- Swapnil Pathak
- Tad Heppner
- Ted Rooney
- Tim Fulkerson
- Todd Gebhart
- Toralv Dirro
- Tracy Mooney
- Tracy Ross
- Ugur Sahsi
- Umesh Wanve
- Varadharajan Krishnasamy
- Vinay Mahadik
- Vinoo Thomas
- Vitaly Zaytsev
- Vivek Chudgar
- Vu Nguyen
- Wei Wang
- Xiao Chen
- Xing Su
- Yang Zhang
- Yichong Lin
- Zhedong Chen
- Zhu Cheng
Archive
- February 2012 (18)
- January 2012 (47)
- 2011 (482)
- 2010 (431)
- 2009 (395)
- 2008 (294)
- 2007 (416)
- 2006 (169)
Tags
#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity
"You have signed in at another location"
|
|
I recently got a bunch of Yahoo instant messages from a few IM buddies. All of them about a geocities page: www.geocities.com/omg_thats_too_funny_3/ Unfortunately, that page was taken down by the time I could check what it was about. Also, my buddies couldn’t recall sending me that link.
It’s essentially a phishing attack delivered over the popular Yahoo instant-messenger network. You might see an offline buddy sign in, send you the above link with a couple of tempting smileys, and quickly log off. The scary part is that it’s sent without their knowledge, frequently when they are not online. They might even remember getting knocked off of the Yahoo IM because “they signed in somewhere else”. This likely meant that their Yahoo accounts had been compromised.
If you look around, you will find quite a few others have been scammed into losing their Yahoo passwords via phishing sites:
http://isc.sans.org/diary.php?storyid=1463
http://www.broadbandreports.com/forum/remark,14377670
http://zigzackly.blogspot.com/2005/10/yahoo-password-hack-warning.html
IMs from buddies are to easily trusted. Many sites that host pictures/videos allow only registered users to view them. So it’s not surprising that this type of attack is so successful.
What’s different about this attack is that it’s not a simple password-stealing attempt from a single targeted user. Once an unsuspecting user compromises her credentials by submitting them at the phishing site, a CGI script on that site uses the YMSG protocol with the stolen credentials, logs on to the Yahoo IM network and gathers the buddy list of that user to propagate the attack further! All buddies on this compromised user account get similar IMs posing as this user.
Theorizing further, it’s not hard to imagine a central attacker controlled dB of stolen Yahoo IM ids (and for the users who fell for the phishing, even their passwords). Such a dB could be really useful for spammers. It can be used to do some fancy data-mining as well (buddy relationships etc). At the very least, it shows which users are security savvy and which ones are not! 
The attacker could keep creating newer sites when older ones are taken down/blocked. Yahoo IM’s default-allow policy makes all this even worse – non-buddies (anyone!) can send you an instant message without any previous contact. This is actually the whole point behind using them on social networking sites like Orkut, Myspace etc. So the phishing attacks can’t really be blocked on the network or URL level.
The only solution seems to be to use a “site-key” mechanism on the Yahoo login page(s). Something like a user-specified image/secret that gets displayed before the user even types the username (or password). This image can be selected based on the cookies/Macromedia Flash Objects downloaded through previous sessions. Since only Yahoo can read the content inside these local objects, only Yahoo can generate the right site-key image. The user enters her credentials only on recognizing the right site-key.
|
|
Submit your own comments / message for this post