The! Yahoo! eMail! Saga!

I've spent quite a lot of time over the last few days answering questions from worried users and trying to cope with fall out from a problem with infected emails which seems to be (mainly) affecting Yahoo!¹ users so I thought I'd write about it here so I could refer people to this article.

What's going on can affect people using any hosted email service. At the moment it seems to be affecting Yahoo! users in particular although I've also had reports of a user of BT being affected (they use Yahoo! to provide their email service) and in the past I've seen similar problems with Hotmail. A recent article in The Register confirms my suspicions that Yahoo! (and Microsoft) seem to be the ones currently in the firing line.

So what's happening?

As far as I can make out it starts with you receiving an email from someone you know. In the email is a hyperlink to a web site and the email encourages you to click on it. Here's a screen shot of an example we received today (with the domain part of the URL blurred out):

As you know the person you click on the link to see what it's about and then they've got you. At the very least they can then use your address book to send out a similar email to people you know. If you're using a webmail account (i.e. you're reading email via your web browser rather than a mail client like Thunderbird or Outlook) they don't need to know your password to do that as you're already logged in. So you pass the infection on.

That in itself wouldn't be too bad. It's annoying but it's not the end of the world. The worrying part is, as Martijn Grooten of Virus Bulletin, notes in the article in The Register:

A significant portion of the links in these emails attempt to install malware (typically via exploit kits such as Blackhole), they are more than a mere nuisance.

So if your PC is not up to date with all the latest security updates and fixes, and there's more of those every week, then you could be one of the unlucky ones infected.

Cutting to the chase what can you do to stop yourself being caught out? I'd say the list looks like this:

1. Always treat unsolicited email with suspicion, even when it's apparently from people you know.
2. Always hover over any hyperlink in an email to see where it's really going to take you rather than where it claims it's going to before clicking on it. If you're in any doubt don't do it. Email the person back and ask them what it's all about.
3. Treat any attachment in an email with suspicion. You are running anti-virus software I hope so make sure that's had a sniff of any attachment before you open it.
4. This should be common sense anyway but make sure you keep your PC up to date with all security updates, especially if you are using a Windows PC.
5. Consider turning off Java (but not JavaScript) unless you have a particular need for it².
6. Consider stopping using your browser as your mail client but instead using a dedicated mail client. We use Mozilla Thunderbird here which is free and available for Windows, Mac OS X and Linux but you might prefer Outlook or Outlook Express if you're on Windows.

This is still going on and the emails are getting better crafted. For example here's one I received today:

The "CLICK HERE" link was to a tinyurl URL so you couldn't tell if it was dangerous or not. (It is, or rather was: I cautiously checked down the chain and it bounces you through several more addresses to a site which has now been taken down.)

1. Apologies for the headline for this article: I blame The Register who do this on the headline of all their articles about Yahoo! as a gentle piss take on Yahoo's insistence that their name always includes the "!", this one for example Yahoo! and! Microsoft! have! long! way! to! go! in! account! hijack! fight! which is particularly relevant here.
2. Very few sites actually rely on Java to function but it has a very bad record of having security vulnerabilities in it.