Originally published at: http://community.ca.com/blogs/securityadvisor
July 09, 2009 by Benjamin Googins
With Yahoo’s new Chat & Mobile feature, be careful about responding to unsolicited chats from people you do not know. By doing so, you could be handing out your email address to criminals and filling your Inbox with spam.
I first noticed Yahoo Chat & Mobile (abbreviated YCM for this writing) (link: http://www.ymailblog.com/blog/2009/01/chat-and-text-your-friends-from-yahoo-mail-classic/) early this year when I logged into my mail account. It unexpectedly showed up – on the left side of my mail window below my Folders section (see image below). This addition to Mail entails two features: “Chat”, which is basically a trimmed down version of Yahoo Messenger, allows me to chat with others who use Yahoo Mail or Yahoo Messenger. And “Mobile”, which I have found handy as it allows me to send text messages to any cell phone – typing with a keyboard instead of a phone.
Not long after noticing these new features, I received a chat request from someone not in my contact list asking, “Barbara?” (see image below). I knew it was a scam, but out of curiosity, I sent a short reply “yes”. I received no reply so I closed the chat window.
That wasn’t the end of it, though. In the days and weeks that followed, I have received spam Inbox with “Barbara” in the subject line. This was no coincidence. All of the spam follows the same basic pattern: “Barbara” in the subject line, the body of the email is a single image linked to another site, and the origin email address is tied to a domain which has the registrant’s identity cloaked. Also, the spam seems to play on a common theme, the bad economy, and includes offers for government grants, nursing school, and foreclosure listings, for example. A unique aspect of this spam is that the majority of it landed in my Inbox, not my spam folder. I collected some of it (a small fraction of it) into a folder for your viewing pleasure (see image below).
So the spammers are leveraging the YCM feature to obtain valid email address and spam those accounts. YCM links my email ID to my chat ID. This is different than stand alone IM clients (such as Yahoo Messenger) or stand alone email services and provides a unique mechanism for spammers to obtain email addresses. The email addresses obtained through this method are verified to be not just valid (as in, they exist), but verified that they are actually used and actively logged into. This type of email address is quite valuable in the underground economy of the Internet. As a follow up, I have received multiple other unsolicited chats, ostensibly from the same entity, with a new message, like the one below.
This follow up chat is an added verification method for the spammers and helps them know the email address is very active.
The spammers exploiting YCM this way can generate a list of possible Yahoo IDs and test if they are valid and actively used by sending unsolicited chats to all possible IDs. In other words, YCM can be used to send unsolicited chats and create a list of active Yahoo email addresses. A response to an unsolicited IM such as, “this isn’t Barbara, quit bothering me”, is exactly what the spammers are looking for. Any response to a chat like this, regardless of what is sent, is verification the email address is active.
To be clear, YCM is not unique in that it is exploited by spammers and other criminals. Stand alone email and chat services are exploited in various other ways (which I will cover in future writings). With other instant message programs, you should always be cautious about unsolicited chats from people you do not know.
What you can do (to cut spam and prevent handing out your email address):
Do not send any response to an unsolicited chat that you do not recognize the sender. Any response is confirmation that your email address is active and you will get spam in your Inbox. Instead, click the ‘decline’ option at the bottom of the chat.
Yahoo Chat & Mobile offers this user control: “Block chat messages from anyone who is not in my Contacts.” This option allows you to do just as it says, to block unsolicited chats. The downside, this is a fairly heavy-handed approach and will block unsolicited chats, even from old friends and others not in your contact list. If you are receiving a lot of unsolicited IMs, this might be the best option. To access this option:
-log into your Yahoo Mail account
-click the ‘Options’ tab (upper right)
-click the ‘Spam’ link (left side of page)
-choose the bullet next to ‘Block chat messages from anyone who is not in my Contacts’ (see image below)
As a side note, YCM gives the option to: “Block chat messages only from the people” you choose to block. This option probably isn’t very helpful in situations like the one I describe above. The spammers can create new Yahoo IDs and anything you block today, probably won’t be relevant tomorrow. They will just send an unsolicited chat with a newly created ID.
Yahoos new Chat & Mobile feature is a handy new addition to Mail, but has introduced a feature which is being exploited by spammers. Do your part and block or decline unsolicited chats from users you do not recognize.
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..