[Update at 20:08 EST: Dan Veditz from the Mozilla team responded "We looked at the URL and don't think it was a Firefox exploit." He mentioned ads and Flash that might make a Windows machine vulnerable, but not Linux.]
[Update at 22:13 EST: Time line appears to exonerate Firefox and Ubuntu-specific exploits. His machine does not appear to have been compromised. The issue appears to involve Yahoo! mail authentication.
Using browser history, output of the last command, and timestamps from my friend's Yahoo! account, my friend and I reconstructed the following time line:
Yesterday, 8:10 AM: Yahoo! records a normal login to his Yahoo! mail account from his home state.The message sent to me includes the following headers:
Yesterday, ~11 PM: A email is delivered to his Yahoo! mail account from a correspondent using an email account hosted by Yahoo! (@sbcglobal.net)
Today, before 8 AM: He checks his email, reads the bogus email and clicks the link for the phony MSNBC article and from it, visits the Home Cash Profits page.
Around 9:15 AM: He turns off his computer.
9:49-9:57 AM: The spam emails are sent from his Yahoo! mail account (and end up in his Sent Mail folder).
After 2:00 PM: He turns on his computer, checks his email, and finds many bounces in response to the spam sent earlier.
8:53 PM: Yahoo! records a normal login to his account from his home state.
Received: from [220.127.116.11] by web160302.mail.bf1.yahoo.com via HTTP; Wed, 14 Nov 2012 06:56:10 PST
.ua is the TLD for Ukraine. When I had him "View his recent sign-in activity" in Yahoo!, all logins back through October 29 were from his home state.
> host 18.104.22.168
22.214.171.124.in-addr.arpa domain name pointer 126.96.36.199.freenet.com.ua.
> mtr -c 1 -r 188.8.131.52 | tail -n 4
12. freenet-gw2-w.kiev.top.net.u 0.0% 1 153.9 153.9 153.9 153.9 0.0
13. W307.core2.lv-kv.freenet.ua 0.0% 1 165.2 165.2 165.2 165.2 0.0
14. lv.core.freenet.com.ua 0.0% 1 162.5 162.5 162.5 162.5 0.0
15. ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
His computer was off when the spam was sent. No additional logins were recorded on the Yahoo! mail account. It appears that the auth token (cookie) is leaking somehow.
I set up a friend on Ubuntu 10.04.4 LTS, which runs Firefox 16.0.2.
This morning he received an email in his Yahoo! account from someone with whom he's previously exchanged email. The email looked something like this:
Subject: RE:[his first name] HeyHe viewed the webpage. The URL was (poorly) disguised to appear as if it was a news article on MSNBC. He also viewed the page for Home Cash Profits which was the focus of the bogus news article.
check this out when you get a chance [URL omitted]
Subsequently, his Yahoo account filled with bounces from people in his address book, the body text of which resembled the message above. He normally can access Yahoo! mail without a password, since he checks "stay logged in" or whatever the option is to receive an auth token in a cookie. I think his Yahoo! password is saved in Firefox as well.
I received one of the bogus emails from my friend, which Gmail flagged as phishing (my friend reports that Yahoo! did not flag the email in any way). When using Gmail's Show original option there doesn't appear to be any payload, unless it somehow exploits the X-YMail-OSG header and is very small. The following header is present in the bogus mail from my friend:
Message-ID: <1352904970.97677.androidMobile@web160302.mail.bf1 .yahoo.com>My friend runs the Ubuntu version listed above on a laptop, and doesn't own an Android device.
It would appear that the exploit is hosted on the web page which is sent in the email. The web page was up within the last 30 minutes (14 November, ~16:00 EST). I've included the URL below, trivially rot-13 encoded to protect the unwary.
WARNING: Do NOT decode and visit this URL unless you know what you are doing!
uggc://zfaop.zfa.pbz-arjf9.hf/wbof/Again, the above encoded URL can exploit Yahoo! mail accounts accessed from Firefox 16.0.2 running on Ubuntu 10.04.4 LTS. Google searches for the URL also turn up some blog comment spam.
I don't have the time to look into this, so I would appreciate some assistance from the experts.
I've instructed my friend to unplug his ethernet cable and keep his computer offline until we can resolve the situation.
Update at 16:56 EST: The URL is still live. Reported the site as a web forgery (using Firefox's built-in tool which reports to Google) and sent an email to Firefox security pointing to this thread.
Update at 17:48 EST: It's possible that this is a Yahoo! mail-specific exploit. My friend has in the past corresponded by email with the person whose account sent the bogus email, who was then using a @sbcglobal.net address. www.sbcglobal.net redirects to att.yahoo.com which is branded att.net but says "Powered by Yahoo!" The Check mail link on that page shows login.yahoo.com. Since my friend's computer is now offline, we can't check Yahoo! mail to see the return address used on the bogus email he received.
Update at 18:21 EST: A tar bzipped copy of the webpage saved using "Save Page As..." in Firefox 16.0.2 is available here: https://sites.google.com/site/tod222/possibly_malicious_webpage_saved_for_forensic_exam .tbz
Update at 19:34 EST: Title changed from "Active in-the-wild exploit for Firefox/Ubuntu"