|
|
|
|
| Author |
|
|
Now in 993 land ...
|
Yahoo email spoofed / hijacked
I need some pro nerd advice on a situation that just developed. Looks like one of my family member's email account has been compromised.
Someone must have pulled his address book and is now sending emails to all contacts. The emails are not coming from the yahoo account rather than spam servers using the same user name and first name / signature line, making it look like it comes from my family member. The emails going out have links in them and now of course another family member receiving this spam clicked on the link but got a 404 error message. The link looked like this (I put some asterisks not to have a live link). http://*******.ca/including.php?send=******eca8g39hm What does that link do? Was it really a legit 404 response or was something else going on in the background? What do these spam emails do, if they aren't pitching a male enhancement product? What do I need to do to protect the family members? The spoofed yahoo account has its password reset already. What does the family member recipient that clicked on the link have to do? Thanks! George |
||
12-03-2015, 10:36 AM
|
|
|
The Unsettler
Join Date: Dec 2002
Location: Lantanna TX
Posts: 23,885
|
Looks like the link could be a few things.
php file so it can execute commands. My guess based on the way it's worded is it's validating an email address, recipient, as good / valid. Expect more spam, probably lots of it.
__________________
"I want my two dollars" "Goodbye and thanks for the fish" "Proud Member and Supporter of the YWL" "Brandon Won" |
||
|
12-03-2015, 10:48 AM
|
|
|
Now in 993 land ...
|
Thanks SM! What I was hoping is that the 404 response by the server shows it was already shut down previously and not action ensued when clicking on the link?
Nothing the spammed can do, right? I got the same message BTW, but for me yahoo sorted it to the spam folder. Plus, I never click on links unless there is clear personal information aside from greetings / names. Thanks! George |
||
|
12-03-2015, 11:54 AM
|
|
|
Registered User
Join Date: Sep 2012
Location: Växjö Sweden/Hannover Germany
Posts: 1,135
|
BTW I dont think the account was compromised.
Change the PW, but that will not help. The emails are sent from another server/account and it is just coincidence. Maybe the emailadresses where harvested from other sources and now they want to know if they are valid or not. |
||
|
12-04-2015, 12:25 AM
|
|
|
Registered User
Join Date: Sep 2012
Location: Växjö Sweden/Hannover Germany
Posts: 1,135
|
And yes, you are right. The owner of the server hosting the script was made aware and deleted the file. Most likely.
I dont understand why someone clicks those links anyway ... |
||
|
12-04-2015, 12:26 AM
|
|
