In what appears to be a coordinated assault, the e-mail accounts of more than a dozen rights activists, academics and journalists who cover China have been compromised by unknown intruders. A Chinese human rights organization also said that hackers disabled its Web site for a fifth straight day.
The infiltrations, which involved Yahoo e-mail accounts, appeared to be aimed at people who write about China and Taiwan, rendering their accounts inaccessible, according to those who were affected. In the case of this reporter, hackers altered e-mail settings so that all correspondence was surreptitiously forwarded to another e-mail address.
So, how were these Yahoo email account broken into? The news article provides a possible scenario:
Paul Wood, a senior analyst at the Symantec Corporation, said a growing number of malignant viruses were tailored to specific recipients, with the goal of tricking them into opening attachments that would insert malware onto their computers. Mr. Wood said his company, which designs anti-virus software, now blocks about 60 such attacks each day, up from 1 or 2 a week in 2005. “They’re very well crafted and extremely damaging,” he said.
Targeted malware may very well have been the attack vector here, however I can't help but to also think about the Distributed Brute Force Attacks that we are seeing against Yahoo accounts through the WASC Distributed Open Proxy Honeypot Project. Brute forcing login credentials is still quite an effective means of hijacking accounts. As I outlined in the other blog post, attacker's have found that they can target a web services URL to conduct their attacks without any restrictions such a CAPTCHAs.
Well, in addition to the web service authentication URLs, we are now also the attackers targeting mobile (WAP) authentication services. Here are some of the different mobile Yahoo subdomains being targeted:
in.wap.yahoo.com
mlogin2.mobile.re4.yahoo.com
mobile1.login.vip.sp2.yahoo.com
my.rf.wap.yahoo.com
ph.wap.yahoo.com
sushi2.mobile.ch1.yahoo.com
webgw1.mobile.re3.yahoo.com
webgw3.mobile.re3.yahoo.com
HTTP/1.1 302 Found
Date: Wed, 31 Mar 2010 14:49:03 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate
Set-Cookie: B=emj89nt5r6o6v&b=3&s=lo; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.yahoo.com
Location: /p/login?.done=/p/&.pc=5135&.error=7&ignore=signin&ySiD=32CzS0e2khOZCLqXwuFj
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Notice that the Location header sends the user back to a login URL with parameters indicating that there was an error. In contrast, when a successful auth happens, the user is redirected to a different URL:
HTTP/1.1 302 Found
Date: Wed, 31 Mar 2010 14:48:46 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate
Set-Cookie: B=derbda55r6o6e&b=3&s=ml; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.yahoo.com
Location: /p/?.data=LnlpZCUzZFU4ZjZDNWZRZ25vb2VkX19lZy0tJTI2Lnl0cyUzZDIw
MTAwMzMxMTQ0ODQ3JTI2LnlndCUzZEhlbGxvIEh1Z2glMjYueWludGwlM2R1cy
UyNi55Y28lM2R1cyUyNi55ZW0lM2RkYXZpc19odWdoQHlhaG9vLmNvbSUyNi55eW0lM2RkYXZpc19odWdoQHlhaG9vLmNvbSUyNi55bm0lM2RIdWdoIERhdmlzJTI
2LnloaWQlM2RkYXZpc19odWdoJTI2LnlyZWclM2QxMDY1NzA0NDc4&.ys=XkVVQ
zpv_oOsltCTiJwm3.c9zrQ-&ySiD=zmCzS9GqZrL1pVcmUygz
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
It is interesting to note that the hacker underground is keeping track of all of these different authentication servers and the various authentication mechanisms in use. Just do a google search for "Yahoo Servers for cracking" which will give you a huge list of users forums where hackers are listing both Yahoo authentication hosts and automated tools for brute forcing (such as the image on the right).
The lessons learned from this data is that there are many ways in which attackers may be able to hijack user's email accounts. For organizations attempting to defend against these types of attacks, it is critical that all authentication mechanisms are identified and proper access control is implemented (specifically if end users are allow to directly interact with it or if is supposed to be used only by other authorized partners).