email hijack security risks? (IT dudes!)

[Andrew W]

Oh, I reinstalled java if that makes any difference.

If it is a Javascript exploit changing passwords or doing reinstalls etc. won't make any difference and there's no reason why there would be any malicious code on your computer, it's in the email you were sent which lives on your webmail providers server and is executed by your machine when you see the mail.  

Your best hope is that your webmail provider improves the security of the Javascript code that makes their site work.  You could report your situation to them and it might help them debug their code and track down the vulnerability.  Your passwords probably won't matter because these exploits work once you've already logged into your account.  I'm afraid that this is a fact of life in this time where so many of us use webmail as our primary email client.

[MDV]

I see

Thing is, I didnt open any emails that I didnt expect or werent from trusted sources (no unusual content in those).

The closest I've come is looking at my spam folder, which I dont normally do, but I didnt open any, or dont remember it.

Maybe my memorys playing tricks on me, but I'm 99% sure that there were replies to this spam sent on my account the first time I opened my email today. Does that add up with the java exploit?

[Andrew W]

I see

Thing is, I didnt open any emails that I didnt expect or werent from trusted sources (no unusual content in those).

The closest I've come is looking at my spam folder, which I dont normally do, but I didnt open any, or dont remember it.

Maybe my memorys playing tricks on me, but I'm 99% sure that there were replies to this spam sent on my account the first time I opened my email today. Does that add up with the java exploit?

Could well be.  I'm pretty sure that when it happened to me I hadn't clicked on anything either.  New vulnerabilities are discovered and exploited all the time.  It's a shifting and increasingly sophisticated arms race between hackers and spam merchants and the webmail companies.  We're just stuck in the middle.

[phlip]

One thing which hasn't been mentioned is that the emails are most likely not originating from your PC. Your address and address book have probably been harvested and emails are being generated elsewhere by a spambot faking you as the sender. There isn't lot you can do about this.

If your IT friend thinks you have a rootkit has he suggested a way to find out? I would scan with http://www.f-secure.com/en_EMEA/security/tools/blacklight/

Rootkits for Win7 are currently rare at the moment, however if you're on XP there are thousands of the buggers!

From an IT security standpoint if you have a Rootkit then I would recommend a format of your system. it's the biggest pain in the arse for sure. BUT you don't know what else the rootkit has dumped on your system some of which could be very new and not known to AV companies yet*

Of course this standpoint is fine for me as I can just network boot a system and have it built in less than 1 hour. Not so easy for a home user which as to dedicate a lot of time getting a system back up and running.

*We send disk images of rootkit infected systems (It's rare we get them TBH) to McAfee our corporate AV vendor for analysis and it's very surprising how much new code they find on these infected systems, hence our don't clean-Re-format policy here!

[MDV]

Thanks guys.

There *seems* to be a second email, sent today, as I have a failure notice to several emails, and its the same email, same dodgy link.

Guys on here that got the first one; can you give me a shout if you got a second one please?

See, if there was a second one, the PC that I was using and is suspected infected has been both disconnected (the cable pulled; its a damned clever virus that can circumvent that) and the PC off (even cleverer!!!), and I've been on my laptop. The only connection is they run through the same router. So if theres a second email, the problem isnt my PC (or its, somehow, all my PCs, but it would have to stored on my router, since I havent used my LT in weeks and disconnected the offending PC before firing it up, just in case).

So, anyone get a second spam email off me?

[dave_mc]

Oh, and will do dave.

cheers! hope you get it sorted :)

EDIT: no second one for me.

I also make a point of not even opening an email if i don't know who it's from.

[shobet]

Its yahoo, and I'm aware of some of the problems with java (its the only thing that comes up in kaspersky vulnerability scans, at least!), but didnt know it made email hacking that easy.

In your estimation then, do I have malware on that machine (malwarebytes free version now also says its clean, btw) or has some tw@t hacked my address, but my PC and other info are fine?

Java and Javascript are completely different languages. While the syntax may look the same, they work in entirely different ways.

Errrrr, ok, fine, but if you know the answer to the question, could you answer it, pretty please?

Just correcting your lack of knowledge is all. As a scientist I thought you would appreciate someone pointing out misconception, but apparently not. Ho hum.

As mentioned this is most likely happened when some javascript was executed when you used your webmail client to view what was probably an utterly harmless looking mail. I image it's harvested the content of your address book and/or the addresses in the sent mails.

Answer is, don't use a browser to view your mail. If you do, disable javascript. However I suspect that will cripple most of the functionality of the webmail service.

As for if you have a compromised system, who knows? If you're concerned it's probably easier to wipe and restore than it is to spend the hours and hours required to run all the software available, and even then you're not 100% positive that they've picked anything malicious up.

Happy now?

[MDV]

:lol: Happier, yeah :lol:

Sort of. I still dont know for sure if I have anything on my system, and dont know how to find out!

I am on windows 7, btw. Also ran a malwarebytes scan and it came up clean. Gonna try backlight and see what happens.

Lets not be making a big deal about the java/javascript thing. I accepted the correction, I just thought it was odd that thats what you chose to tell me.

[MDV]

Philp; backlight says that its not compatible with win 7. Trying to run it gives a 'you need admin privileges' message (which is a bit worrying in and of itself given what rootkits do).

Can anyone else that has 7 (preferably 64) try and run it and see if you get the same message please?

Edit - I get the same thing on my LT, which I at least think is clean and is 7-32

[MDV]

I'm slighlty suspicious of Amazon anyway out of those (mainly cos it runs like a filthy dog on my laptop and I can see various adware things getting blocked everytime I open an amazon window) - but I'm not sure I'd be that suspicious of any of them... (unless of course you were using one of them on the day that it experienced an attack).

Have you got anything that you allow to use you as a "server"?

Eg. When I joined Spotify (and whenever it updates its client on my pc), my firewall goes "Spotify wants you to act as a server" and I go - "You can f**k right off on that mate..." (well, the button actually says "No", but I've explained to my missus that it's a little more forceful/important than just "No"...)

The first time I thought "oh well, that's it, no spotify for me then", but it works even if you deny this.

It's that sort of thing that I'd suspect, or something that manages to sneak in and pretend it's something else so that your firewall doesn't notice when it starts calling home...

Hopefully if there's anything like that lurking then the scan will spot it.

But I've always assumed that to send e-mail from you, recognisable as coming from you and your ip address... that, unless it's installed some crazy program on your system, a process elsewhere has to take control of your machine and use your e-mail client to send from your e-mail address book... (the fact that you've got nothing in your sent folder made me wonder, but I'm not sure it's that indicative of owt...)

Can you tell from the returned mails whether it was actually coming from your ip? ie from all the tracking guff you get in returned mails. I don't really know how to read them, but I'd be tempted to send a "Testing Testing" e-mail to one of those dead addresses to see whether the return of a legit e-mail from me looks the same as one of these spam-jobs.

Well, I sent an email to swineshead to get a failure notice that I know came from me with the corresponding IP.

It doesnt match the IP in the failure notice from the spam mails.

Can one of the learned IT dude here please interpret this information for me in the virus on my machine Vs yahoo server got hacked and my machines fine hypotheses?

Seems it didnt come from my computer, but rootkits are clever and might mask it, or use a proxy or something?

[AndyR]

I'm not actually expert enough to interpret properly... but from this, and the posts on here since I wrote that, it does sound to me like your e-mail address and address book details got nicked and the funny mails are not coming from your machine...

So, if that's the case - I spose it's partly "good news"... it sounds like wipe and reformat might be receding as the solution...

But I'd still be left thinking the following:

a) "how the f did it happen?" (so I don't do that again) and
b) "is there any way I can stop these b@stards?".

I have a horrible feeling that there ain't any useful answers to those two questions :(

[phlip]

Philp; backlight says that its not compatible with win 7. Trying to run it gives a 'you need admin privileges' message (which is a bit worrying in and of itself given what rootkits do).

Can anyone else that has 7 (preferably 64) try and run it and see if you get the same message please?

Edit - I get the same thing on my LT, which I at least think is clean and is 7-32

On win7 even when you are on as administrator you're not actually running the Admin priv's until you elevate youre account (Right click run as administrator!) If your 'compromised system' is Win7 X64 then I'm gonna stick my neck out and say the chances of you having a rootkit are pretty much zero! The Kernel Patch protection in x64 makes it's very hard to exploit any security holes!

You can use Sopho's free rootkit detector on Win7 64 if you really want http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

[shobet]

Aherm http://m.zdnet.com/blog/security/hacker-exploits-ie8-on-windows-7-to-win-pwn2own/5855
I didn't read it in depth but as any operating system running with any software out there, thre are going to be holes, no matter how secure they claim to be :(

[MDV]

Ok, heres the crack so far, summary and all the stuff I've done

- Spam email gets sent from my account to everyone in my address book. No saved email, failure notice ip doesnt match the ip from an email I send from my connection. Email is yahoo.

- Run scans with

[MDV]

Stupid restarts. Summary again -

scans with kaspersky, defender (windows stock) and malwarebytes. Clean.

Kaspersky shows a trojan on 18/4. Its the only infection its recorded. It doesnt seem to still be there - I assume it handled it at the time.

AVG scan from my laptop across my network in case running from an OS that an infection isnt trying to hide from helps - no result.

checked ips in failed deliveries - they dont match emails sent from my connection.

Superantispyware showed 9 tracking cookies, nothing major, all gone now.

Sophos showed 2 hidden things, dont know what they are, running again, will give more detail in a minute.

PC slowed down massively last night, to the point where the mouse wouldnt move for 5 seconds at a time. Turned off at the mains, working ok now, never done that before.

Called yahoo, they said that this is happening a fair bit.

Changed all passwords on a different machine

Set up a second email for financial things (also yahoo though - can anyone suggest a more secure way?)

Thoughts? I know what it looks like to me, but I also dont know much about this stuff, when it gets down to it.