[nsp-sec] yahoo email account compromise
Robert
robert at servalens.com
Fri Jul 29 17:57:39 EDT 2011
I've seen several yahoo account compromises in the last few days.
The access was via Yahoo Mobile. The accounts were dormant and not
phished. My assumption was brute force
190.227.31.183 (initial access)
189.214.14.94
82.227.188.143
Redirector urls were spammed
examples:
hxxp://www.fulldigital.es/friends.page.php?icid_friend=91ny6
hxxp://www.cormoranomarina.it/friends.page.php?awpage=30yk9
hxxp://www.honestpcservice.com/friends.page.php?opotopic=51o3
hxxp://susungasset.co.kr/friends.page.php?een_yahoo=52d3
hxxp://www.randonnez.fr/friends.page.php?xyts=43ma3
hxxp://niftytrends.megabyet.net/friends.page.php?fID=82ym4
hxxp://relaxationstation.biz/friends.page.php?jyahooID=95gi6
hxxp://niftytrends.megabyet.net/friends.page.php?ifortune=14s7
The 50 or redirectors I observed all pointed to this list of URLs
hxxp://www.healthrxshop.com/index.php?product=14
hxxp://www.mercolamedic.net/index.php?product=14
hxxp://www.pfizermedsrx.com/index.php?product=18
hxxp://www.pillrxhealth.net/index.php?product=12
hxxp://www.tabletmedicalspills.com/index.php?product=88
Appears to be fast-flux canadian pharma (with the images loaded by
IP:8080 junk)
Posting all this in the slim case the account compromises are related
and part of a much larger group of accounts just compromised in the last
2 days or so.
Robert
Verizon
On 07/29/2011 03:17 PM, Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> This guy seems to be sending spam to his contact list:(
> rtilson at yahoo.com
>
> One of my coworkers received spam from that account and told me that this gentleman is now departed:(
>
> (coffee != sleep)& (!coffee == sleep)
> Donald.Smith at qwest.com
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list