divalas.vegas

[annie]

Last night we received an unusual amount of mail to various DLV and Pinkfest associated accounts from DLVers, many with very familiar names, which shows that a number of you have e-mail accounts, mostly within the yahoo.com domain, which have been compromised.

Within the past 12 hours or so this seems to be almost a chain reaction.

Spam is being sent from the compromised accounts, containing a url with the letters "yepyep" toward the end.

If you receive a message with such a URL, even from someone you know and regularly correspond with, do not click it! Delete it! Many of these bogus messages have a blank subject and a short message containing the URL.

For those who got a security alert from us on this, please don't shoot the messenger. The best thing to do is change your yahoo (or whatever) password from a known-clean machine and give the machine you usually use for e-mail a good malware scan.

Thanks, gang!

[External Poster]

This posting is from: Delaney
----------

Annie,

Apparently they hacked into the Esprit site as well. I ran all the
scans on mine, the machine appears clean. Did you get my email wrt Big
Sisters, or was I one of the hacked ?

Thanks,

Delaney

----------
(This posting was entered by Delaney, an external user of MyDLV.)

[External Poster]

This posting is from: annie
----------

> Apparently they hacked into the Esprit site as well. I ran all
> the scans on mine, the machine appears clean. Did you get my
> email wrt Big Sisters, or was I one of the hacked ?

No, your account appears clean, at least as far as this is concerned.
Your item came through fine, and it will go out in the next ORG
mailing.

This latest round of e-mail hijacking does appear to involve the TG
community simply because each other's e-mail addresses are in each
other's contact lists and address books. The malware, when activated
by the victim clicking on a link and giving permission to continue,
goes into the address book, grabs 10 or so contacts, and sends the
malware link to those. Rinse, repeat. Therefore a lot of accounts
within our community get compromised because curious people click
on a link allegedly sent by someone they know.

Today's bombing run was promotion of a work at home scam. The target
site appears to have been shut down a couple of hours ago, but the
damage has been done and many of our friends' accounts have been
used in an unauthorized manner.

We saw the same thing a while back when a similar thing spread in
our local TG support group. This case mostly involved Hotmail
accounts.

What's embarrassing to the victim is that the e-mail addresses from
the contact list, usually 10 or so of them, are revealed to all who
get the unauthorized message. We see such things as addresses which
belong to banks, counselors, obvious "adult" mailing lists of all
types, etc.

Bottom line, if you receive a message in e-mail which consists of a
link to click, be very careful, even though you may know the holder
of the account it came from.

----------
(This posting was entered by annie, an external user of MyDLV.)

[Michelle V]

I got five of these ths morning. I'm not stupid enough to click. They looked like spoofed email senders to me. You can send email in anyones name if you know how to do it.

[External Poster]

This posting is from: annie
----------

> I got five of these ths morning. I'm not stupid enough to click.
> They looked like spoofed email senders to me. You can send email
> in anyones name if you know how to do it.

Yes, it's very possible, almost trivial to sent an e-mail which
appears to come from almost anybody.

However, that's not what we were seeing this morning.

There are some "footprints" in the e-mail that show that these came
from the accounts that were on the From: lines.

If you view the headers (most mailers have this option) you'll see
a bunch of gobbledygook, but the lines, specifically the "Received:"
lines, will reveal the system that last touched the e-mail before
handing off to the recipient, and in many cases where it really
originated from.

These are two lines from one of those e-mails we received this morning:

+Received: from nm18-vm2.bullet.mail.gq1.yahoo.com
+ (nm18-vm2.bullet.mail.gq1.yahoo.com [98.136.217.217])
+ by OUR MAIL RECEIVER (8.14.5/8.14.5) with ESMTP id qASFmSF8067546
+ for <dlv@geekbabe.com>; Wed, 28 Nov 2012 09:48:28 -0600 (CST)
+ (envelope-from VICTIM39@yahoo.com)

The one directly above cannot be forged or spoofed, since it was
added by a machine we control. It shows that the mail was sent to
the geekbabe.com mail receiver from a mail server known as
nm18-vm2.bullet.mail.gq1.yahoo.com, and further checks show that it
is a legitimate sending server for yahoo.com e-mail.

Therefore, there's no question about the fact that the bogus e-mail
came to us from Yahoo.

Digging deeper, we find another line which shows where on the greater
Internet the message was actually launched. If we look at this line
here:

+Received: from [87.5.147.214] by web163905.mail.gq1.yahoo.com via HTTP;
+ Wed, 28 Nov 2012 07:48:21 PST

This gives the ip address of 87.5.147.214 as the sending system, and
it appears that the web interface into the e-mail system was used.

We can very easily look up and see where in the world that originating
computer system is.

+[dmr@webservices ~]$ nslookup 87.5.147.214
+Server: 127.0.0.1
+Address: 127.0.0.1#53

+Non-authoritative answer:
+214.147.5.87.in-addr.arpa name =
+host214-147-dynamic.5-87-r.retail.telecomitalia.it.

We see that the offending message actually originated in Italy and
we kind of doubt that the true owner of that account actually had
entered in from an Italian ISP.

Now let's take a look at the warning message that our system
generated and sent to the holder of the hacked account. You will
see several entries from the account holder's address book, some
which may be quite personal in nature. This is the actual warning
message with names obfuscated somewhat.

+> From: "geekbabe.com Abuse and Security" <abuse@geekbabe.com>
+To: VICTIM39@yahoo.com
+Subject: Important e-mail security notice to VICTIM39@yahoo.com
+Importance: High
+Status: OR

+Please read this message carefully. It contains information which you
+should be made aware of. Please take this notice seriously.

+The validity and authenticity of this message may be verified by
+e-mailing abuse@geekbabe.com if you desire.

+The below-referenced e-mail was sent to us under your name and we have
+reason to believe that you are unaware that it was sent.

+It was received by us on Tue, 27 Nov 2012 23:54:46 -0600 (CST) It
+contained your address, VICTIM39@yahoo.com, as that of the sender.

+Since it was received by our mail receiver directly from the sending
+e-mail server nm22.bullet.mail.gq1.yahoo.com, we believe that this was
+sent via the Yahoo mail system by someone assuming your identity.

+In addition, we would like to make you aware that the following
+contacts, from your contact list or address book, were revealed,
+included in the headers, to all who received this message:

+customerservice@SOMEDOMAIN.com
+FRIEND1@yahoo.com
+FRIEND2@yahoo.com
+FRIEND3@btopenworld.com
+BUSINESS1@aol.com
+FRIEND4@yahoo.com
+info@SRSPROVIDER.com
+dlv@geekbabe.com
+FRIEND5@yahoo.com

+It appears that the login credentials for the account VICTIM39@yahoo.com
+have been compromised and that the password for that account is known by
+and has been used by the individual(s) sending out the e-mail from your
+account under your name.

+We recommend that you review your computer security and take the
+necessary steps to correct this.

+If you are unsure about what to do, the following procedure has been
+effective in dealing with this and similar issues in the past.

+1. Using a known-clean computer system (not the one you normally use to
+access the VICTIM39@yahoo.com Yahoo account), log in and change your
+password to a new password known only to you.

+2. Before you use the computer system you usually use to access the
+VICTIM39@yahoo.com account, perform a virus/malware/spyware sweep using
+any of several available security programs. This will remove such things
+as spybots and keystroke loggers which may have been used to steal your
+login credentials.

+3. In the future, be very careful when clicking on any links in any
+received e-mail, when opening any attachments received via e-mail, or
+responding to any request to "verify your password" received in e-mail.

+Only in extreme circumstances is it necessary to abandon an e-mail
+account to correct this issue.

+If you have any questions or concerns regarding this notice, please
+e-mail: abuse@geekbabe.com

+Thank you for your attention and consideration.

+The body of the message received in your name appears immediately below.
+If you would like a full copy of this message for your reference or for
+your provider's abuse department, please request it by e-mailing
+abuse@geekbabe.com

+Text of received message appears below.
+. . . . . . . . . .

+http://HIJACKEDSERVER.com/wordpress/wp-content/yepyepop.php

Notice the one-liner message containing only the URL to click!

----------
(This posting was entered by annie, an external user of MyDLV.)