Yahoo accounts hijacked via email-based attack: Bitdefender

Bitdefender finds attackers exploiting unpatched WordPress Uploader.

A new email-based attack has been hijacking Yahoo accounts, security software company Bitdefender Labs has reported.

Bitdefender has warned of a link circulating in spam emails that appears to lead to an MSNBC Web page, but in reality leads to a page at a com-im9.net subdomain.

The link leads to a page housing a malicious piece of JavaScript that is disguised as the Lightbox JavaScript library. The site housing the script was registered in Ukraine on 27 January and is hosted in a data centre in Cyprus.

The second stage of the attack exploits an unpatched WordPress uploader component used by the Yahoo! Developer blog. The developer blog is housed at a Yahoo.com subdomain, and the attackers are able to steal a victim's Yahoo.com cookie, giving them access to the victim's contact list, providing further targets to spam.

Bitdefender is urging Yahoo account holders to watch out for spam emails and not to click on links in emails from unknown senders.

Follow Rebecca Merrett on Twitter: @Rebecca_Merrett

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Tags Yahoohacking exposedsecurityjavascriptbitdefender

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Open Space Security Suite

Kaspersky Open Space Security provides complete business protection in a single integrated suite of applications that work seamlessly across all platforms.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.