email account hijacked -- how?

[npish]

I just realized that a Yahoo email account of mine was apparently hijacked and it appears that two different spam messages were sent to various addresses that seem to have been plucked from my inbox and contacts list. Fortunately, this is a generic "crap" account that I use to register with various online services, etc. and from which I pretty much never send personal/business-related messages (thus the list of recipients of the spam message was minimal.)

My question is how this could possibly have happened, as this is a first for me. I access this account regularly from two computers-- work and home-- both of which have a Firefox add-on installed that displays the inbox status (and thus has the password saved.) Beyond those machines, I also have my phone (Android-based) and iPod touch with the Yahoo account configured; I very rarely check this account from any other source. I have run several virus/malware scans on both machines and have turned up no trace of malicious software.

I guess I'm just curious from those who have more knowledge on the subject than I, how this might have happened? When an email account is hijacked, is the point of origin always on a local machine, i.e. via malware, or do other methods exist? Thanks much for any feedback.

[RealBlackStuff]

It's called spoofing.
It's fairly common, unfortunately, but for obvious reasons I'll not elaborate here.

[npish]

thanks for the response RealBlackStuff; I read a bit about email spoofing, and I'm assuming some kind of a worm got into my account. I guess I'm still confused about how this sort of thing originates, as I never clicked on any kind of suspicious link or opened a strange attachment, etc. as I'm pretty vigilant about those sorts of things...

[Neil]

I can certainly understand why we would not want to discuss how email spoofing works, but I think it would be healthy to discuss any measures an individual could take to prevent it from happening. If there is anything one can do, that is.

As for me, I don't know. I'm a hardware man. This malicious software stuff is way beyond my grasp.

So, npish, how about you change the title of this thread to something more along the lines of asking "How to prevent email spoofing"? Maybe you'll get more responses that you are with a title that looks like you want to learn how to hijack an account.

[twistero]

This doesn't look like spoofing to me. Email spoofing refers to someone else sending email using your address as "sender", without actually having access to your account. But, since the spam OP mentioned are sent to the contact list, it is obvious that the hijacker clearly have access to this email account. Which would mean the hijacker somehow acquired the account password.

Now, there are quite a few ways to steal someone's email password, but the fact that this attack i) targeted a less-used email account instead of the OP's primary account, ii) was used for spamming, suggests automated scanning/brute-forcing methods instead of a human hacker actively trying to steal important information.

[emtee3511]

Several scenarios come to mind --

1 -- If your entire addressbook was spammed out to everyone on your list, then you may have malware on one of your machines.

2 -- If only a few addresses from your address book were spammed, then it's possible your email address at the top was spoofed from someone else's address book, and their machine (not yours) has malware. This may be especially likely if one or more of the addresses in the spam email are not included in your machine's contacts, and only a few of your contacts are listed in the spam email.

When your machine has been compromised, the spam (or zombie) emails usually are sent to every contact in your email address book. In that case you should seriously look for malware on your machine. If only some of your contacts are included, along with other addresses not from your contact list, it points to someone else's machine having the malware, and that malware spoofing an address -- in this case your address listed in someone else's contact list. You still need to do several different scans for malware on your machine, but don't be surprised if your machine comes up clean -- you could just be a spam target from someone else's machine, with your address being spoofed.

If you have basic antivirus/firewall on your machine, it is hard to get malware without choosing to open or download something yourself.

...just my opinion

[ajkula66]

This might be the answer:

http://articles.latimes.com/2012/jul/12 ... k-20120712