21 Mar 2013

Yahoo!’s email system hacked by criminal spammers

As the world’s third largest email provider recovers from a hack attack, Technology Producer Geoff White has the details of the scam and how Yahoo! users can protect themselves.

Yahoo!’s email system has been hacked by criminals who have hijacked users’ accounts for a global spam email campaign.

The FBI has moved to shut down the operation after a Channel 4 News investigation revealed accounts around the world had been broken into. We understand the hacker lives in the Russian Federation.

Yahoo!, the world’s third largest email provider, was hacked in January and claimed it had fixed the problem. But this new vulnerability has raised fresh concerns about security at the internet giant.

Suspicious log-ins

From as early as 1 March Yahoo! users’ accounts began to show suspicious log-ins, apparently from a mobile phone, from locations around the world.

Within a minute of the hacker logging in, the users’ mailboxes had been hijacked and used to send spam email. The hackers covered their tracks to leave their victims none the wiser.

Holly Willis was one of many victims. “It looks like there was a log-in to my account from Romania – but I’ve never been there,” she said. “The first I knew of it was when people started contacting me asking why I’d sent them strange emails.

“I do have friends and family who don’t use computers that often. They see an email from me, they trust me, so they click on the link. I feel terrible that I might have led to people’s computers being compromised.”

Yahoo’s automated systems highlighted the suspicious log-ins, but three weeks later it seems the company has been unable to stop the attacks and has not informed its customers of the problem. It has around 13m UK users.

We’re committed to protecting our users and their data Yahoo spokeman

Until today, the company’s Twitter feed has for the past month carried the same message: a link to a safety update from last July which does not mention the email flaw.

When first approached for comment, Yahoo issued a statement relating to the January hack. When asked for an updated response, a Yahoo! spokesman said: “We take data protection very seriously and are currently investigating reports that some Yahoo! Mail accounts may have been compromised.”

Random recipients

Once inside a user’s account, the criminal sent an email containing a single web address to a handful of the victim’s contacts – seemingly chosen at random from emails they have sent or received.

The links appear to lead to a legitimate website, but in fact, those legitimate websites have themselves been hacked. The spam link leads to a hidden page on the legitimate website, which immediately redirects to the hacker’s website – a get-rich-quick scheme which promises thousands of dollars of income before asking for a credit card payment.

But Spamhaus, a UK organisation which tracks spammers, believes the website may also have contained a trojan – malicious code which can infect the computers of those who visit it.

“A trojan is a piece of software which is transferred silently from the criminal’s computer to yours,” said Richard Cox of Spamhaus. “It changes the settings on your computer, reduces its security, and it can allow the criminal to track the keystrokes you make, for example when logging into your bank account.”

The hacker’s site is based on a server in California, and following Channel 4 News’s investigation the FBI has moved in to shut it down and seize the vital evidence it holds, in the hope of tracing the culprit.

Channel 4 News is not naming the suspected hacker, but we understand he is based in the Russian Federation and has a long history of computer crime.

“He’s been involved in cyber-crime over a number of years. We’ve built up quite a comprehensive file on him. If it’s handled correctly, the chances of an arrest are high,” said Cox.

If you think you’ve been affected, Channel 4 News’s technology producer Geoff White would like to hear from you – you can find him on Twitter: https://twitter.com/geoffwhite247.

How to protect yourself

  • Change your Yahoo email password immediately. A strong password includes upper and lower case letters and numbers, and should be unique to the account. Non-dictionary words are best: for example, take the first letter from each word in a line from your favourite song.
  • Check for suspicious log-ins to your Yahoo account here.
  • Spam links take the form of a legitimate web address followed by random code – for example: www.legitimatesite.com/afafn9234/?21qwerp. Do not click on the link.
  • If you did click on the link, update your anti-virus software and run a virus check.
  • Yahoo gives good security advice here and here.