Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

YAHOO! users being targeted by HACKER
FreeRepublic Exclusive ^ | Oct. 29, 2003 | Johnathan R. Galt

Posted on 10/29/2003 2:52:39 PM PST by JohnathanRGalt

YAHOO! users being targeted by HACKER.

An evil hacker (probably some spammer pissed about having his spam blocked by Yahoo! SpamGuardTM) has developed a new technology which completely fools SpamGuardTM.  Embedded in the messages is a powerful hacker exploit which damages the operating system of the unsuspecting Yahoo! user if they follow any of the links or click on the "unsubscribe me" opt-out link which is required by Minnesota and California laws governing UCE (Unsolicited Commercial Email). The hacker has been using it to harass millions of Yahoo! users for months and thereby exacting his terrible revenge on the Yahoo! company.

SpamGuardTM technology is powerless to stop the messages.

SpamGuardTM protected messages include a special "This is Spam" link which Yahoo! users may click to (A) block the address of the sender -- which is ineffectual since the spammer uses a different email address every few hours. Or, (B) 'Report the Message to Help Us Improve SpamGuardTM!' which is also ineffectual since the since the developers of SpamGuardTM are unable to figure out a solution to the problem.   I have personally clicked on option (B) hundreds of times over many weeks.

The spammer has found that if he embeds nonsense words such as "Edens Tuckett Overfelt Lagrange Eriks" in a creamy, almost-white, shade of beige, colored font hidden at the beginning of an HTML formated message then SpamGuardTM with think it is a valid message and will pass it on to unsuspecting Yahoo! users.  Since the words are randomly changed with each new message, the filter SpamGuardTM uses cannot recognize the message as spam. The spammer is also careful to send a different message out in small batches to less than 20 Yahoo! users at a time.

This spam is also socially engineered.

The 'I Love You!' virus was able wreak havoc around the world in a very short time because of it's diabolical social-engineering (all humans want to find out who would send them a love letter).  The subject of the message got the recipient to click on the attachment allowing the virus to re-mail itself to everyone in their Microsoft OutlookTM address book  This is because Microsoft OutlookTM developers are unable to figure out a solution to the problem.

The Yahoo! users -- upon seeing yet another UCE offering low-cost life or car insurance, real ViagraTM delivered from offshore pharmaceutical warehouses, or a bigger penis with herbal pills -- are whipped into a frenzied rage and either (A) click on the link to find out which ISP is hosting the goddamned spamvertised site so he can get a take-down of the site because of ToS (Terms of Service) violation. Or (B) click on the "unsubscribe me" opt-out link so he can stop receiving spams from the UCE bulk mailer in accordance with laws of California or Minnesota.

Either way, the Yahoo! user is doomed to suffer.

The links in the message itself are the hack.  If you are to look into the HTML source of the message and see how it is constructed, you would see that the URL (Uniform Resource Locator) is very, very long and looks something like this:

http://www.aol.com/ams/clickThruRedirect.adp?4951%3C8379,1459%3C6503%3C539
2x6032%3C4070,http://s17.r6YJ45181n.com.FXENL4t6T5JqiF.j5M7pfjRdNYqkc776Qm
.r50bON.entrance534.com/life1?fSlj6i3PAfg757ecV3cBkAs2RpqmflolM0MRbQk83gie
pdGdE6DJlIbo0XYoHnWT7jU0C8SgqOQFXENLC6V48PDBooj5M7pfjRdNYqkc776QmU82Js17h8
33WWRr7cXGk0FV2YLKfes8U1go6BmdIg
Clicking on such a link triggers the well-known HTML overflow exploit, thereby crashing the users computer and perhaps messing up the data on his harddrive.  This is because browser developers are unable to figure out a solution to the problem.

Here's a sample of the actual spam.  

You don't want to click on any links below this line.
___________________________________________________________________

X-Apparently-To: johnathanrgalt@yahoo.co.uk via 217.12.10.53; Wed, 29 Oct 2003 04:51:41 -0800
Return-Path: <ibsenishexpoliar23312@msn.com>
Received: from 65.54.169.104 (EHLO hotmail.com) (65.54.169.104) by mta125.mail.sc5.yahoo.com with SMTP; Wed, 29 Oct 2003 04:51:41 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 29 Oct 2003 04:51:40 -0800
Received: from 208.38.28.17 by bay3-dav74.bay3.hotmail.com with DAV; Wed, 29 Oct 2003 12:51:40 +0000
X-Originating-IP: [208.38.28.17]
X-Originating-Email: [ibsenishexpoliar23312@msn.com]
From: "Daye" <MayberryWolsdorf8760@webmail.com> | This is Spam | 
To: Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.ie, Send an Instant Message  XXXXXXXXX@yahoo.com,  Send an Instant Message johnathanrgalt@yahoo.co.uk, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com, Send an Instant Message  XXXXXXXXX@yahoo.com
Subject: Offer Security For Your Family
Date: Wed, 29 Oct 2003 07:51:34 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_6EA9_7DC3A132.56B22586"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Windows Eudora Version 1.4.4
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Message-ID: <BAY3-DAV74447McjDhl000591e7@hotmail.com>
X-OriginalArrivalTime: 29 Oct 2003 12:51:40.0460 (UTC) FILETIME=[65BB86C0:01C39E1B]
Content-Length: 1428


Edens Tuckett
Overfelt Lagrange Eriks

Get A FREE Life Insurance Quote From Over 50 Competitors!

dE 3nE Please Visit Our Webiste hbT XYoH
Bonatti Schraub
Even if youre on your own for the first time, just getting married, starting a family, or simply enjoying retirement life insurance can help provide monetary death benefits to those you designate as beneficiaries.
Bonatti Schraub

dE 3nE Please Visit Our Webiste hbT XYoH
Mireles Bauguess
Discover the lowest available premiums
Bownds Fuschetto
Waligora

Vandriel Wiedman
unsubscribe your email now click


TOPICS: Business/Economy; Crime/Corruption; Culture/Society; Miscellaneous; Political Humor/Cartoons; Technical
KEYWORDS: computersecurity; hack; hacker; lowqualitycrap; microsoft; overflow; spam; uce; windows; yahoo
Navigation: use the links below to view more comments.
first 1-2021-24 next last

1 posted on 10/29/2003 2:52:40 PM PST by JohnathanRGalt
[ Post Reply | Private Reply | View Replies]

To: JohnathanRGalt
Has this exploit been confirmed on all browsers, or is only Microsoft's Internet Explorer (IE) vulnerable? Do tell...
2 posted on 10/29/2003 2:58:27 PM PST by Prime Choice (I want to be immortal. Then I'll never have to vote Democrat.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JohnathanRGalt
I never click on those links anyway. Just tells them they have an active email account. Thanks for the warning. I have a yahoo account I use.
3 posted on 10/29/2003 3:00:55 PM PST by .38sw
[ Post Reply | Private Reply | To 1 | View Replies]

To: JohnathanRGalt
Aha!. That is why my yahoo e-mail sucks and my hard drive was acting funky. Do you know a way out of this mess?
4 posted on 10/29/2003 3:01:29 PM PST by ThreeYearLurker
[ Post Reply | Private Reply | To 1 | View Replies]

To: JohnathanRGalt
Yet another reason to not use Outlook, IE, or Windows. This isn't affecting any Yahoo users on Macs or Linux boxes...
5 posted on 10/29/2003 3:07:07 PM PST by Doug Loss
[ Post Reply | Private Reply | To 1 | View Replies]

To: Doug Loss
Do you know this for a fact?
6 posted on 10/29/2003 3:10:33 PM PST by John W
[ Post Reply | Private Reply | To 5 | View Replies]

To: John W
From the article: "Clicking on such a link triggers the well-known HTML overflow exploit, thereby crashing the users computer and perhaps messing up the data on his harddrive."

This is a Windows-only exploit; it doesn't affect non-Windows systems.

7 posted on 10/29/2003 3:25:10 PM PST by Doug Loss
[ Post Reply | Private Reply | To 6 | View Replies]

To: JohnathanRGalt
SpamGuard has been improved just today, by my reckoning. You can report as message as spam and delete it with one click. I have been doing so. ZAPZAPZAP!!!

Death to Spam!
8 posted on 10/29/2003 3:28:39 PM PST by Ronin (Qui docet discit!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JohnathanRGalt
Thanks for the information. I was wondering why I have had so many more spam messages making their way into my Yahoo mail box lately. I never open mail I don't recognize and just trash it, but I took a look at what was in my trash folder and was surprised at how many seem to fit exactly the pattern you discribed.
9 posted on 10/29/2003 3:46:18 PM PST by Flying Circus (As you do pray, so you do believe)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ronin
SpamGuard has been improved just today, by my reckoning. You can report as message as spam and delete it with one click. I have been doing so. ZAPZAPZAP!!!

and a different looking spam is sent next time -- and is delivered right to my inbox. SpamGuard fails to recognize it.

10 posted on 10/29/2003 5:33:15 PM PST by JohnathanRGalt (---- Fight Islamist CyberTerror at: http://haganah.org.il/haganah/index.php ----)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Prime Choice
Has this exploit been confirmed on all browsers, or is only Microsoft's Internet Explorer (IE) vulnerable? Do tell...

It's not just IE, I've confirmed the exploit on Netscape 7.1

11 posted on 10/29/2003 5:34:41 PM PST by JohnathanRGalt (---- Fight Islamist CyberTerror at: http://haganah.org.il/haganah/index.php ----)
[ Post Reply | Private Reply | To 2 | View Replies]

To: JohnathanRGalt
True, and I zap that one too. Unopened.

There is no relief in sight because the spammers are the warhead and the SpamGuard is the armor.
12 posted on 10/29/2003 5:40:21 PM PST by Ronin (Qui docet discit!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: JohnathanRGalt
This sounds really stupid to me. I don't know any specific details about the exploit, but I used to write data entry programs under COBOL, then Unix C and DOS, then VB. I never allowed any data that could harm the program. I always read and validated any stream of data one character at a time. I had plenty of horsepower to do this with 8088 CPUs. There's no excuse for data crashing a program.
13 posted on 10/29/2003 5:44:09 PM PST by js1138
[ Post Reply | Private Reply | To 11 | View Replies]

To: John W; Doug Loss
Yet another reason to not use Outlook, IE, or Windows. This isn't affecting any Yahoo users on Macs or Linux boxes...

This is a Windows-only exploit; it doesn't affect non-Windows systems.

No, Macs, Linux and other Unix boxes can be brought down with stack overflow exploits.

It's a programmer error in the browser code that parses the URL. The code parsing the URL does not check to see if the URL is longer than the buffer allocated for it.

If you'd like to find out if your particular box is suseptable I can forward you one of the evil emails and you can try clicking on the link.

14 posted on 10/29/2003 5:57:36 PM PST by JohnathanRGalt (---- Fight Islamist CyberTerror at: http://haganah.org.il/haganah/index.php ----)
[ Post Reply | Private Reply | To 7 | View Replies]

To: js1138
There's no excuse for data crashing a program.

I agree.

Or is there any excuse for a program crash to bring down the entire operating system (as Macs used to do, and Windows still does).

15 posted on 10/29/2003 5:59:58 PM PST by JohnathanRGalt (---- Fight Islamist CyberTerror at: http://haganah.org.il/haganah/index.php ----)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Ronin
There is no relief in sight because the spammers are the warhead and the SpamGuard is the armor.

I have to admit, for most other spam, SpamGuard works. Except for this particular (and dangerous) spam my inbox is usually free of spam.

I'm just saying there is a chink in the armor of SpamGuard. An evil hacker has found SpamGuard's Achilles heel.

After my first painful lesson, I now know enough not to click the URLs.

I just pity the fools (other Yahoo users) who have to go through what I did.

16 posted on 10/29/2003 6:11:25 PM PST by JohnathanRGalt (---- Fight Islamist CyberTerror at: http://haganah.org.il/haganah/index.php ----)
[ Post Reply | Private Reply | To 12 | View Replies]

To: unix; rdb3
sigh.... malicious web code is anything, but unusual.
17 posted on 10/29/2003 6:15:56 PM PST by Freemeorkillme
[ Post Reply | Private Reply | To 1 | View Replies]

To: JohnathanRGalt
It's been a long time since I saw a program bring down windows. Sometimes a hardware failure requires a restart, but I haven't rebooted windows for software issues since win2000 came along.
18 posted on 10/29/2003 6:17:03 PM PST by js1138
[ Post Reply | Private Reply | To 15 | View Replies]

To: js1138
I haven't rebooted windows for software issues since win2000 came along.

I'm on Windows 2000.

I wonder if the exploit will work on WinXP?

19 posted on 10/29/2003 6:22:28 PM PST by JohnathanRGalt (---- Fight Islamist CyberTerror at: http://haganah.org.il/haganah/index.php ----)
[ Post Reply | Private Reply | To 18 | View Replies]

To: JohnathanRGalt
Oh, I am sure that Yahoo will plug this hole, eventually. But by that time the evil geniuses who figured out this trick will have come out with something else.

It's a never-ending cycle.
20 posted on 10/29/2003 6:52:39 PM PST by Ronin (Qui docet discit!)
[ Post Reply | Private Reply | To 16 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-24 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson