Page 1 of 2 12 LastLast
Results 1 to 20 of 21
  1. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #1  
    I don't know where else to put this.....I searched on Malware and Spam and didn't find any other threads. If moved please inform me where the new location is. Thanks.

    Anyway, I just completed a scan using MalwareBytes, ComboFix, and hijackthis on my host computer and each came back clean.

    However my yahoo account is getting a bunch of bounce backs from emails sent from my account. the email contents have a single url to russian girls websites and no subject line.

    I am already getting inquires from friends telling me that I am sending them virus and some friends in the know are telling me i am infected. Of course the above programs say otherwise.

    I've already checked the 'sent' folder of my yahoo account from my host pc. There is no evidence there of the emails being sent out.

    The only thing left is my Pre.

    the last three things installed were Preware, thats what she said soundboard, and PreStop.

    Highly doubt it was preware....but just wondering if anyone has experienced this.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  2. #2  
    change yur password on the mail account. They have hacked your account. I have seen this before. You may see a lot of unsent drafts too, since yahoo limits the number of emails that can be sent at once...
  3. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #3  
    Thanks, will do.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  4. rkguy's Avatar
    Posts
    803 Posts
    Global Posts
    816 Global Posts
    #4  
    let us know what you find. Also contact yahoo customer care by saying your account has been hacked. You may also get a number to call if you click that.
  5. #5  
    Quote Originally Posted by DrewPre View Post
    Thanks, will do.
    There is a known virus moving around that spoofs a ATT registration page. It changes the host file to redirect your home page to a "ATT has detected a problem" and asks you to sign into your att account to verify it. You then provide your member id(email) and password. I don't know your service provider, but I suspect ATT...

    I have taken several calls regarding it, and each time Combo-fix finds it in a driver. Removing it has in each case killed DHCP and with it my remote control. You did check the log right? Any connectivity issues after combofix?
    Last edited by mrloserpunk; 06/09/2010 at 12:31 AM.
    "When there is no more room in hell, the dead will walk the earth"


    PM me your questions, If I cant find an answer, I'll show you who can.
  6. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #6  
    no, I am sprint

    Couldn't find a link to the Yahoo! Customer Care.
    Last edited by DrewPre; 06/09/2010 at 01:19 AM.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  7. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #7  
    This all occured from 10:33-10:36pm. I wasn't on a computer in this time window. I hadn't been on a computer for over an hour at this point. But if it was done long before that window, I suspect Facebook. Maybe something associated with the m:vampire app. Pure Speculation tho.

    Here is a partial email header....

    Code:
    Message-ID: <799724.97454.qm@web35304.mail.mud.yahoo.com>
    X-YMail-OSG: ScfKXQcVM1nue41Apy27hSCjD3hJPWKdRCvMQ.znh9QWPX8
    Received: from [80.37.61.119] by web35304.mail.mud.yahoo.com via HTTP; Tue, 08 Jun 2010 19:35:35 PDT
    X-Mailer: YahooMailWebService/0.8.103.269680
    Date: Tue, 8 Jun 2010 19:35:35 -0700 (PDT)
    Code:
    Registry Whois	
    
    OrgName:    RIPE Network Coordination Centre
    OrgID:      RIPE
    Address:    P.O. Box 10096
    City:       Amsterdam
    StateProv:  
    PostalCode: 1001EB
    Country:    NL
    
    ReferralServer: whois://whois.ripe.net:43
    
    NetRange:   80.0.0.0 - 80.255.255.255
    CIDR:       80.0.0.0/8
    NetName:    80-RIPE
    NetHandle:  NET-80-0-0-0-1
    Parent:    
    NetType:    Allocated to RIPE NCC
    NameServer: NS-PRI.RIPE.NET
    NameServer: NS3.NIC.FR
    NameServer: SUNIC.SUNET.SE
    NameServer: SNS-PB.ISC.ORG
    NameServer: SEC1.APNIC.NET
    NameServer: SEC3.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    Comment:    These addresses have been further assigned to users in
    Comment:    the RIPE NCC region. Contact information can be found in
    Comment:    the RIPE database at http://www.ripe.net/whois
    RegDate:    
    Updated:    2009-03-25
    Code:
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf
    
    % Note: This output has been filtered.
    %       To receive output for a database update, use the "-B" flag.
    
    % Information related to '80.36.0.0 - 80.39.255.255'
    
    inetnum:         80.36.0.0 - 80.39.255.255
    netname:         RIMA
    descr:           Telefonica de Espana SAU
    descr:           Red de servicios IP
    descr:           Spain
    country:         ES
    admin-c:         ATdE1-RIPE
    tech-c:          TTdE1-RIPE
    status:          ASSIGNED PA
    mnt-by:          MAINT-AS3352
    mnt-lower:       MAINT-AS3352
    mnt-routes:      MAINT-AS3352
    source:          RIPE # Filtered
    
    role:            Administradores Telefonica de Espana
    address:         Ronda de la Comunicación s/n
    address:         Edificio Norte 1, planta 6ª
    address:         28050 Madrid
    address:         SPAIN
    org:             ORG-TDE1-RIPE
    admin-c:         ADT89-RIPE
    tech-c:          TTE2-RIPE
    nic-hdl:         ATdE1-RIPE
    mnt-by:          MAINT-AS3352
    abuse-mailbox:   nemesys@telefonica.es
    source:          RIPE # Filtered
    
    role:            Tecnicos Telefonica de Espana
    address:         Ronda de la Comunicacion S/N
    address:         28050-MADRID
    address:         SPAIN
    org:             ORG-TDE1-RIPE
    admin-c:         TTE2-RIPE
    tech-c:          TTE2-RIPE
    nic-hdl:         TTdE1-RIPE
    mnt-by:          MAINT-AS3352
    abuse-mailbox:   nemesys@telefonica.es
    source:          RIPE # Filtered
    
    % Information related to '80.37.0.0/16AS3352'
    
    route:           80.37.0.0/16
    descr:           RIMA (Red IP Multi Acceso)
    origin:          AS3352
    mnt-by:          MAINT-AS3352
    source:          RIPE # Filtered
    Last edited by DrewPre; 06/09/2010 at 01:18 AM.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  8. #8  
    This doesn't mean your account was hacked... it could simply be that someone is 'spoofing' your account and using your address as the bounceback. I've had this happen - its common for Spammers to spoof email addresses to try and get around spam filters.
  9. #9  
    look in the draft folder, and sent folder if you save sent messages. Spoofing your account wouldn't give them access to ur address book...
  10. #10  
    Register with the combo-fix guys and follow their instructions to the letter. Just because the logfile doesn't show an active infection does not mean there is not one. If you want to be sure that is the only way to verify you don't have an infection.
    Don't get me wrong, you've done everything right but you've only taken the first steps.
  11. #11  
    I can almost bet that your account was hacked. I'll bet you had a fairly easy password, yes? This method of spreading malware is becoming more common. Instead of spamming you with a malware link and hoping to trick you, they are using your account to spam your contacts. That's the only way you can explain that they had your contact list... spoofing your email wouldn't give them access to your contacts...

    That's a good reason to turn on the setting for saving your sent messages, and for checking your draft folder. Yahoo email only lets you send an email with about 20-25 names in the address field, to hinder spamming from a single message. Until they've made it through your entire list, you will see emails staged in your draft folder for each group of contacts.

    You can also look in the body of the rejected e-mails and see they came from email addresses that are no longer valid - job change, etc.

    Also, check the rejected e-mail to see the names of every person addressed in the message. You can contact them to apologize. You will likely see that they are in Alphabetical order as the contacts were chosen in order in blocks of 20-25 names...

    and finally, have yourself in your address book for your work or BlackBerry email address (with an underscore at the beginning of first and last names - _First _Last - so that if this happens you will be in the first batch of e-mails that go out.

    I've seen this scenario before, and the symptoms indicate that they were operating from inside your email account. Either they cracked your password or they were able to gain confidential information from Yahoo or another entity. For example, if they stole your email name and PW from a forum or e-commerce site, it would be safe to assume that you use the same password in your Yahoo account. So make sure you have a strong password (or consider cancelling that email account), and make sure that your email passwords aren't the same as what you use to sign up for various web sites...

    The company I work for, and those previously that have a place to create a website account, have access to user names and passwords for members. It should be encrypted, controlled, etc. but it isn't always the case - especially in systems that aren't subject to PCI or haven't been updated with modern privacy controls... I almost always mis-spell my name so that I can somewhat tell where they got my info from..

    It would be helpful to others reading your story if you are willing to share your findings, such as whether you had a week password, a password used for various websites, and/or what you found in your sent/draft folders, and what you found in the address section of the undeliverable messages...

    BTW, this is another reason I don't keep my business contacts in a cloud... so a hacker couldn't spam all my business contacts if they should ever gain access to my info...
  12. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #12  
    my password wasn't that easy.....

    a phonetically spelled phrase with a number.

    a cap would have made it stronger.

    I do save sent messages, but the sent folder had no records of the emails that were sent....on my phone or on my PC. I was thinking if it was sent from my phone it could be in the cache there and not on my Host PC's or Yahoo's cache.

    The draft folder was virtually empty. there were only a few emails that were from my Pre when I accidentally open and then discard an email...the Pre saves them to draft for you.

    Whoever did this was aware of the message limit Yahoo! places on emails. they sent a batch job of emails out from 10:33p -10:36p yesterday. Each member of the batch had recipients that never numbered more than 10 or so.

    I vaguely remember being prompted to re-login to Yahoo! mail yesterday. This is when I think it occurred. The prompt must have been a fake Yahoo! login interface and I entered my password in it and it was sent off to the spammer who resides in Spain.

    I have since changed my password everywhere and now have a password that is longer than 8 characters and uses caps and numbers. I have also implemented the sign-in seal and openID security features of Yahoo!. I think Yahoo! may have caught them relatively early in the process and shut them down, because emails weren't sent to anyone in my contact list who's name didn't start with a character between A - D.

    In the end, none of it is fool proof, just have to make sure you're paying attention all the time to what/where you're typing your password.
    Last edited by DrewPre; 06/09/2010 at 11:58 AM.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  13. #13  
    Quote Originally Posted by DrewPre View Post
    my password wasn't that easy..... it was ' xxxxx '

    a phonetically spelled phrase with a number.

    a cap would have made it stronger.

    I do save sent messages, but the sent folder had no records of the emails that were sent....on my phone or on my PC. I was thinking if it was sent from my phone it could be in the cache there and not on my Host PC's or Yahoo's cache.

    The draft folder was virtually empty. there were only a few emails that were from my Pre when I accidentally open and then discard an email...the Pre saves them to draft for you.

    Whoever did this was aware of the message limit Yahoo! places on emails. they sent a batch job of emails out from 10:33p -10:36p yesterday. Each member of the batch had recipients that never numbered more than 10 or so.

    I vaguely remember being prompted to re-login to Yahoo! mail yesterday. This is when I think it occurred. The prompt must have been a fake Yahoo! login interface and I entered my password in it and it was sent off to the spammer who resides in Spain.

    I have since changed my password everywhere and now have a password that is longer than 8 characters and uses caps and numbers. I have also implemented the sign-in seal and openID security features of Yahoo!. I think Yahoo! may have caught them relatively early in the process and shut them down, because emails weren't sent to anyone in my contact list who's name didn't start with a character between A - D.

    In the end, none of it is fool proof, just have to make sure you're paying attention all the time to what/where you're typing your password.
    Just a tip: Please edit your post to remove your former pw... there isn't any upside to having that indexed and floating around on the web... IMHO
    Last edited by Cantaffordit; 06/09/2010 at 02:30 PM.
  14. #14  
    Very interesting post! Thank you
  15. #15  
    Quote Originally Posted by Cantaffordit View Post
    Just a tip: Please edit your post to remove your former pw... there isn't any upside to having that indexed and floating around on the web... IMHO
    he did, now you should probably edit your quote?
    "When there is no more room in hell, the dead will walk the earth"


    PM me your questions, If I cant find an answer, I'll show you who can.
  16. #16  
    Quote Originally Posted by mrloserpunk View Post
    he did, now you should probably edit your quote?
    Thank you for the reminder. I had meant to do that when I posted... but I got distracted.

    That happens a lot with me because I suffer from Attention Defec... hey squirrel!
  17. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #17  
    Thanks to everyone for advice and feedback. Whether your input was accurate or not was irrelevant. Your input helped with the thought process and therefore the troubleshooting and the solution.

    All this does raise the question, if only in my un-informed mind, of security on webOS. In fact all mobile OSes...

    How hard is to build Ads into applications [which plenty of devs are doing] that if clicked/tapped send you to a fake [google or yahoo] page that requests your login credentials. Or maybe they send a message to the notification tray that your login credentials failed and you need to re-login and your presented with a fake login that way.

    When I did a search prior to creating this thread....I saw a thread discussing a law from 2004 banning spam to wireless providers. I assume there are laws that already cover spam/malware on wireless devices and sending from wireless devices. If not specifically then indirectly.

    Aside from the laws, though, what is the current status of the battle against spam in the mobile arena. Are there apps/utilities that are comparable to MalwareBytes, HiJackThis, ComboFix, et al....for mobile OS'? These types of apps are retroactive in nature so are there any techniques/applications that are preventative? I mean aside from a user taking extra care to protect his/her user credentials on the mobile device, is there any preventative measures or applications that can be used to preemptively block rogue applications and malware from generating spam?

    Or am I misunderstanding the problem?

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  18. #18  
    There are two sorts of dangers wrapped in to your post...

    Attacks such as spyware/viruses are handled by Hijackthis/McAfee, etc. Someone familiar with Linux security should address this. My understanding is that Linux is inherently more secure, but probably not perfect. I don't think you can open executable mail attachments in webOS. I know I got a .xml attachment today, and I couldn't open it...

    In terms of phishing (i.e. bogus requests to log in...) that's pretty much an issue of social engineering.

    You would have to take action to accept an app being installed on your phone. Hopefully you would only install something from within the official App Catalog and/or Preware catalog to prevent that.

    However, if you go to a bogus site and enter credentials, nothing on your phone will stop that.

    Personally, I don't open or respond to email on my phone except those that come from a known source and require instant attention. I need to see stuff on a big display with all the formatting to really know if something is legit.

    In the case of the bogus email that you "sent" to your contacts, I might have opened it because I knew you, but I definitely wouldn't click on the link contained in the message (especially because it probably didn't have a subject line, right?)

    I'm probably a bit old fashioned, but I use my phone to surf and read more than to create or edit. So my on-line banking will be done from my PC, and creating contacts will be done in outlook.

    A dev will have to weigh in on how a virus could or couldn't be delivered to webOS or how vulnerable it is. As far as I know, its pretty secure.

    The type of attack that worries me is called a "battery drain" attack. It's possible for malicious people to send a text or other signal to a phone that causes the phone to hold a connection to the tower and thereby drain the battery very quickly. The carriers have a great deal of stuff in their networks to prevent this, but I'm sure it could still be a concern.
  19. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
       #19  
    I was thinking more along the lines of an application from the PreCentral feed [or one of the other feeds accessed via PreWare] which by itself is innocent enough but utilizes AdMobs advertisements.

    Now the ads that AdMobs presents in these applications are dynamic and change all the time. What is preventing AdMobs from presenting an ad that has malicious intent? What is preventing a client of AdMobs from providing dynamic content that eventually changes to a link that is malicious in nature? [Of course I am sure AdMobs and others have a vetting process for their clients and their content]

    Now, I am familiar with the idea that Linux is a lot more secure than the windows platform and what I am about to say is done so without a complete understanding of how spyware works, but isn't java/javascript platform independent...can't some java/javascript based spyware on one of these rogue sites infiltrate the underlying linux os and basically monitor all activity and possible intercept a user's credentials?

    What if a way is devised to spoof their 'AppId' to something like 'com.palm.I.will.destroy.your.world' and then place a private call to a d-bus method and manage to display a notification message that your login credentials are incorrect?

    Do I have an over active imagnination for considering this [wouldn't be the first time]? Are there too many unlikely or outright impossible scenarios for something like that to happen.

    The reason spam/malware is such a problem is partially at least because of their ability to stay ahead of the curve and counter all the efforts to stop them.

    Palm Pre Backup Utility...done!
    Locate Pre....done!
  20. #20  
    this is a question for Rob Whitby.
Page 1 of 2 12 LastLast

Posting Permissions