Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Free Yahoo email account! Sign me up, Ok well maybe not. InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Free Yahoo email account! Sign me up, Ok well maybe not.

Published: 2008-06-01
Last Updated: 2008-06-01 01:01:27 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Hello , !
Your friend invited you to use the BETA email Service from YAHOO join YAHOO and Create your Free Email Account

Just click here to receive your FREE YAHOO EMAIL Account!

Ok so it is just a small variation on the greeting card theme (although they haven’t bothered to change the file being downloaded).    The main difference is the message, and rather than using HTTP to deliver the file the link is an FTP link along these lines ftp://username:emanresu@82.bbb.ccc.ddd/private/postcard.pif

Connecting to 82 .bbb.ccc.ddd:21... connected.
Logging in as username ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /private ... done.
==> PASV ... done.    ==> RETR postcard.pif ...

Corporates typically block outbound FTP so most of you should be OK at work.  Home users however may end up with a little surprise.   The file downloaded should be reasonably well detected by most AV products.  The few sites I checked already had the file pulled (or not yet placed there).  

It is a fairly trivial thing.  The only reason I mention it is because, like no doubt a fair number of you, I looked at it and went “mmm, interesting that Yahoo is going down the invite path, just like google” and I opened the message to have a look.  So the message is reasonably effective at first glance. 

From a broader perspective, there seems to be no lack of FTP servers connected to the internet that have been or are being compromised.   If you run an internet facing FTP server, when was the last time you checked the logs and the users defined?

Mark H - Shearwater

0 comment(s)
Diary Archives