Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13
61 posts

Master Geek


  Reply # 760093 12-Feb-2013 14:23 Send private message


So thats two of us that can't, has anyone successfully changed their password?

I feel like a bit of an idiot, because the odds are that it is a user error/mistype but Ive tried it a few times and im pretty sure entering it right.


You're not alone.

I struggled changing my mother's password for her on Sunday. I tried the two different user names they log in with - nothing worked. (They each have a [email protected] address under their account).

In the end, it only worked when I put the username in as the xtr43000xxx - which seems to be some underlying account master username. Sorry, I can't remember if it had the @xtra.co.nz at the end.

Perhaps try and use this strange user name if your account has such a thing.

33 posts

Geek


  Reply # 760110 12-Feb-2013 14:41 Send private message

I managed to change my password in webmail and then in my Outlook.
But what about the link that was in the email. The email was sent to my parents and they clicked on the link. Does anyone have an idea what that would do?
They live in Europe. I think I will have to run an antivirus scan remotely on their computer and also tell them to change passwords for IB, Facebook, etc.

Thanks

1182 posts

Uber Geek
+1 received by user: 41


  Reply # 760133 12-Feb-2013 14:57 Send private message

Early indications said there was the potential to link/click malicious URLs to do injection or script exploits (and further allow the thing at your local address books) but was primarily used to run pay-by-click advertising.

Noone with it appears to have done a C/P the URL in a sandbox or a whois etc

Hokay, so a little more digging indicates the link does infact escalate the XSS vulnerability by letting it at your account. So changing the PW is the best practise. But of course a malware scan if you have no AV wouldn't go astray.

http://thenextweb.com/insider/2013/01/08/researchers-say-yahoo-mail-exploit-still-active-despite-claim-of-being-fixed/

33 posts

Geek


  Reply # 760169 12-Feb-2013 15:19 Send private message

Oblivian: Early indications said there was the potential to link/click malicious URLs to do injection or script exploits (and further allow the thing at your local address books) but was primarily used to run pay-by-click advertising.

Noone with it appears to have done a C/P the URL in a sandbox or a whois etc

Hokay, so a little more digging indicates the link does infact escalate the XSS vulnerability by letting it at your account. So changing the PW is the best practise. But of course a malware scan if you have no AV wouldn't go astray.

http://thenextweb.com/insider/2013/01/08/researchers-say-yahoo-mail-exploit-still-active-despite-claim-of-being-fixed/


Thanks Oblivian. I will do that...

727 posts

Ultimate Geek
+1 received by user: 7


  Reply # 760342 12-Feb-2013 20:01 Send private message

I received an email ostensibly from a friend's yahoo account on Saturday.
The subject was "Hey" (odd in itself), and the body was basically just a link to jklmachinery, whatever that might be. Being a trusted source, off I went to the site, but I rapidly ended up at workathomefree12. This was a pretty decent mock up of a news page with a ridiculous get-rich-quick success story and lots of links to other stories, seemingly. I just wrote back saying it was obviously a scam, but was told that she had not sent it! Then I read the news reports and figured that she'd been victimised and my details were in the wind.

So, who did?

The last "received from" line is:
Received: from [49.49.21.68] by web96101.mail.aue.yahoo.com via HTTP; Sat, 09 Feb 2013 20:44:26 NZDT
Let's see who that is:
Lookup has started?
Trying "68.21.49.49.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53334
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;68.21.49.49.in-addr.arpa. IN PTR
;; ANSWER SECTION:
68.21.49.49.in-addr.arpa. 3393 IN PTR mx-ll-49.49.21-68.dynamic.3bb.co.th.
Received 91 bytes from 5.6.0.1#53 in 29 ms
The message seems to have originated in Thailand, but I suspect it used what is called an "open proxy", meaning the actual culprit may be anywhere.

So - where are they trying to get us to go?
The link is to www.jklmachinery.com:
Lookup has started?
Trying "www.jklmachinery.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30027
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.jklmachinery.com. IN ANY
;; ANSWER SECTION:
www.jklmachinery.com. 1098 IN A 74.208.177.211
Received 54 bytes from 5.6.0.1#53 in 29 ms
74.208.177.211 is an IP address owned by 1&1 Internet Inc, in Pennsylvania. There is "abuse" contact information below.
NetRange: 74.208.0.0 - 74.208.255.255
CIDR: 74.208.0.0/16
OriginAS: AS8560
NetName: 1AN1-NETWORK
NetHandle: NET-74-208-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
Comment: For abuse issues, please use only [email protected]
RegDate: 2006-11-22
Updated: 2012-02-02
Ref: http://whois.arin.net/rest/net/NET-74-208-0-0-1
OrgName: 1&1 Internet Inc.
OrgId: 11INT
Address: 701 Lee Rd
Address: Suite 300
City: Chesterbrook
StateProv: PA
PostalCode: 19087
Country: US
RegDate: 2006-09-05
Updated: 2011-10-12
Comment: http://www.1and1.com
Comment: For abuse issues, please use only [email protected]
Ref: http://whois.arin.net/rest/org/11INT
OrgTechHandle: 1NO-ARIN
OrgTechName: 1and1 ARIN Role
OrgTechPhone: +1-610-560-1617
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/1NO-ARIN
OrgAbuseHandle: 1AD-ARIN
OrgAbuseName: 1and1 Abuse Department
OrgAbusePhone: +1-877-206-4253
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/1AD-ARIN
RTechHandle: 1NO-ARIN
RTechName: 1and1 ARIN Role
RTechPhone: +1-610-560-1617
RTechEmail: [email protected]
RTechRef: http://whois.arin.net/rest/poc/1NO-ARIN
RNOCHandle: 1NO-ARIN
RNOCName: 1and1 ARIN Role
RNOCPhone: +1-610-560-1617
RNOCEmail: [email protected]
RNOCRef: http://whois.arin.net/rest/poc/1NO-ARIN
RAbuseHandle: 1AD-ARIN
RAbuseName: 1and1 Abuse Department
RAbusePhone: +1-877-206-4253
RAbuseEmail: [email protected]
RAbuseRef: http://whois.arin.net/rest/poc/1AD-ARIN

That website immediately redirects to workathomefree12.com (I assume the first 11 have been shut down already). Who's that?
Lookup has started?
Trying "workathomefree12.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25771
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;workathomefree12.com. IN ANY
;; ANSWER SECTION:
workathomefree12.com. 5083 IN A 195.3.147.97
Received 54 bytes from 5.6.0.1#53 in 29 ms

195.3.147.97 is an IP address issued by the RIPE coordination centre in Amsterdam:
NetRange: 195.0.0.0 - 195.255.255.255
CIDR: 195.0.0.0/8
OriginAS:
NetName: RIPE-CBLK3
NetHandle: NET-195-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1996-03-25
Updated: 2009-03-25
Ref: http://whois.arin.net/rest/net/NET-195-0-0-0-1
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/RIPE
ReferralServer: whois://whois.ripe.net:43
OrgAbuseHandle: RNO29-ARIN
OrgAbuseName: RIPE NCC Operations
OrgAbusePhone: +31 20 535 4444
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN
OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN
RTechHandle: RIPE-NCC-ARIN
RTechName: RIPE NCC Hostmaster
RTechPhone: +31 20 535 4444
RTechEmail: [email protected]
RTechRef: http://whois.arin.net/rest/poc/RIPE-NCC-ARIN

Looking up the IP address in the RIPE database, we find:
inetnum: 195.3.144.0 - 195.3.147.255
netname: RN-Data-DC
descr: RN Data SIA
country: LV
org: ORG-RND1-RIPE
admin-c: RN2335-RIPE
tech-c: RN2335-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: ROWER-MNT
mnt-routes: ROWER-MNT
mnt-domains: ROWER-MNT
source: RIPE #Filtered
organisation: ORG-RND1-RIPE
org-name: RN Data SIA
org-type: OTHER
address: Maskavas 322, LV-1063, Riga, Latvia
abuse-mailbox: [email protected]
mnt-ref: ROWER-MNT
mnt-by: ROWER-MNT
source: RIPE #Filtered
person: Raitis Nugumanovs
address: Maskavas 322, LV-1063, Riga, Latvia
phone: +371 20234062
nic-hdl: RN2335-RIPE
mnt-by: ROWER-MNT
source: RIPE #Filtered
More Info from RIPEstat
route: 195.3.144.0/22
descr: RN DATA DC
origin: AS41390
mnt-by: ROWER-MNT
source: RIPE #Filtered

The host of the bogus website is in Latvia, and the person responsible for it is Raitis Nugumanovs, of R N Data SIA.

Looks like a one-man band, according to: http://company.lursoft.lv/rn-data-sia?v=en
Whether he is the spammer, or is just hosting the site, I'm not sure.

This is interesting: http://blog.dynamoo.com/2010/10/evil-network-dg-holding-sia-altnet-lv.html
He's responding to a report in 2010 that his company is hosting spam sites, and purports to be entirely innocent and ruthlessly eliminating the abusers. Three years on - no change. Hmmmm.

Still, the ultimate address for abuse reports is [email protected] That is probably RN's ISP, and they could cut him off. Doubtless "workfromhome13" would then spring up.

Now, there has been quite a lot on nonsense spouted, not least of which is the notion that changing passwords will be of some value - it won't. The horse has already bolted. The messages are not being sent from "compromised accounts", the account information and contact details were stolen, and the spam sent via an open proxy using the harvested details as a return address and cc list. That is why they don't appear in "Sent" folders or how they were sent when the indicated machine was actually off, etc.

Also, I question the suggestions that the mere receipt of an email is sufficient to "compromise" the details held on the receiving computer. Perhaps this is just poorly worded and applies only to those who use a web interface for email and fall victim to an XSS exploit. If the mere receipt of a message via POP3 or IMAP is sufficient to activate an exploit, then it would surprise me greatly; less so if the mail reader rendered, and perhaps executed rogue code on a referenced website.

How was this data harvested? Probably using the XSS exploit, but I don't know. It could be a massive breach of security by some other method.

What I do know is that all addresses in the "compromised" yahoo contact lists should now be considered to be in the hands of criminals. It is not just xtra/yahoo clients who are affected.

What's the payload?
I don't know. All of the links on the destination page lead to the same target, regardless of what they purport to reference, but as I clicked on none of them, I have no idea what that target page does - deliver the payload I presume. It'll be a veiled request for credit card information or passwords, or the "drive by" download of some malware.

Anyway, these are just my musings - I could be quite wrong about a lot of it as this is not really my area of expertise, so you experts out there, chime in! Point out where I'm right or wrong.

727 posts

Ultimate Geek
+1 received by user: 7


  Reply # 760343 12-Feb-2013 20:05 Send private message

Oh - as a P.S. - I did run ClamXav after on my entire man drive - nothing identified.

308 posts

Ultimate Geek
+1 received by user: 47


  Reply # 760346 12-Feb-2013 20:11 Send private message

This would be an interesting link for those who have had their accounts compromised to try.  Shows the login history of your account including IP address and location.

https://api.login.yahoo.com/login/history

Edit: fixed up URL formatting

1182 posts

Uber Geek
+1 received by user: 41


  Reply # 760363 12-Feb-2013 20:37 Send private message

Ruhroh.

One of my yahoo group addresses (all I use it for) held with yahoo au got done, but not the xtra one.

And my PW change suggestion was going based on the medias interpretation of it, being a cookie based thing

Screeny


BDFL
49741 posts

Uber Geek
+1 received by user: 4523

Administrator
Trusted
Geekzone
Subscriber

  Reply # 760365 12-Feb-2013 20:38 Send private message

An update from Yahoo! received this minute:


Yahoo! New Zealand remains committed to supporting Telecom and Yahoo! Xtra customers following a recent vulnerability in the Yahoo! Mail product. 

“We take security and our customers’ data extremely seriously. We are genuinely sorry for the disruption this issue has caused and we understand that people want answers.  This is a complex issue and we’re focused on continuing to work around-the-clock with our partners at Telecom towards a resolution,” said Laura Maxwell-Hansen, General Manager of Yahoo! New Zealand.

Users are urged to review their security settings and update their password, ensuring that the new password is a combination of letters, numbers and symbols.  Additionally, we would always recommend that users ensure their virus protection software is up to date.

More information and safety tips are available on the safety section of the Yahoo! New Zealand website - http://yhoo.it/Y4c3JP

There is currently no evidence to support reports that access has been gained to any user information beyond the customer’s email address book, however Yahoo! continues to monitor the situation.  

“Unfortunately, security attacks are commonplace globally and while we take every possible precaution to protect our customers, the fact remains that the criminals who undertake these activities are very sophisticated and no service operator is immune to attack,” she said.







7244 posts

Uber Geek
+1 received by user: 404


  Reply # 760411 12-Feb-2013 21:22 Send private message

freitasm: An update from Yahoo! received this minute:


More information and safety tips are available on the safety section of the Yahoo! New Zealand website - http://yhoo.it/Y4c3JP





Bit if a mistake of them to use a URL shortener, as it hides the true URLs location,and is what spammers do in their emails.

BDFL
49741 posts

Uber Geek
+1 received by user: 4523

Administrator
Trusted
Geekzone
Subscriber

  Reply # 760412 12-Feb-2013 21:24 Send private message

In their defence these weren't sent to their customers, but distributed to media.




61 posts

Master Geek


  Reply # 761585 13-Feb-2013 10:14 Send private message

hashbrown: This would be an interesting link for those who have had their accounts compromised to try.  Shows the login history of your account including IP address and location.

https://api.login.yahoo.com/login/history

Edit: fixed up URL formatting


Interesting - here's the relevant log snippet from my Mum's account:

9 Feb, 2013    6:24 PM    Browser     Logged In    Indonesia
9 Feb, 2013    6:23 PM    Browser     Mail Access    Indonesia

Sure enough, spam sent on Saturday night at that time.

Annoyingly I can't go any further back in time, but no access thereafter (changed password on the 10th for her)


1429 posts

Uber Geek
+1 received by user: 71


  Reply # 761636 13-Feb-2013 11:39

The log in history is interesting. I have had no indication that anything was wrong, I've not had any odd email and so far none of my contact list have had anything supposedly from me but the history shows that the account was accessed from India on Sunday night.

The Indian login was flagged as suspicious but I wouldn't have known about it unless I'd been prompted to look by this thread. If it's flagged as unusual why can't Yahoo send an email to the account holder or give that as a choice?

5968 posts

Uber Geek
+1 received by user: 109

Trusted
Subscriber

  Reply # 761641 13-Feb-2013 11:44 Send private message

Gmail does this, and will block suspicious logins then email you to check the log and change your password., had exactly that happen recently from a US East coast IP, I managed to trace the IP to the ISP, which interestingly specilised in tertiary institutions. 

Cyril

Awesome
3968 posts

Uber Geek
+1 received by user: 562

Trusted
Subscriber

  Reply # 761651 13-Feb-2013 12:02 Send private message

I've just started using factor auth for gmail as well




Twitter: ajobbins

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Windows 10 announced, as well as developer preview
Created by macuser, last reply by networkn on 2-Oct-2014 15:17 (101 replies)
Pages... 5 6 7


Moment of Truth?
Created by BarTender, last reply by JimmyC on 29-Sep-2014 09:16 (441 replies)
Pages... 28 29 30


Can i have 2 ISP's at home?
Created by ReckITT, last reply by Lazarui on 30-Sep-2014 18:15 (49 replies)
Pages... 2 3 4


What time will the Apple Store online be selling the iPhone 6?
Created by scotiwis, last reply by Bextinaa on 2-Oct-2014 14:59 (133 replies)
Pages... 7 8 9


Why is your nickname what it is, what are the origins of it?
Created by Presso, last reply by xontech on 2-Oct-2014 11:02 (91 replies)
Pages... 5 6 7


Harvey Norman's Biggest Ever Retail Sale
Created by DravidDavid, last reply by joker97 on 2-Oct-2014 14:24 (30 replies)
Pages... 2


iPhone 6 From Spark - Order Dates and Pricing?
Created by Otagolad, last reply by seymor1000 on 2-Oct-2014 13:50 (350 replies)
Pages... 22 23 24


Easiest way to have iPhone warranty service
Created by JoshWright, last reply by nitrotech on 30-Sep-2014 21:37 (15 replies)


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.