Last week, security researchers disclosed a breach of Yahoo Mail that exploited a bug in WordPress (CVE-2012-3414) which happens to be used in the Yahoo developers blog. This allowed attackers to circumvent the same-origin policy and steal Yahoo Mail users’ cookies and obtain their contact lists. The details of the attack are described here.
After clicking a malicious link, unsuspecting users were redirected to the phishing site www[.]msnbc[.]msn[.]com-im9[.]net, which would appear to many to be legitimate MSNBC content.
The phishing webpage belongs to a subdomain of com-im9[.]net. The whois information shows the domain com-im9[.]net was registered on Jan 27th via a Ukrainian registrar but stayed dormant (did not resolve to any IP) for 2 days.
Mining our worldwide DNS query logs, we see that DNS traffic to the subdomain msn[.]com-im9[.]net (which hosts the malicious page) started on Jan 29th 2:32pm UTC, the time at which we believe the campaign to compromise Yahoo Mail users’ accounts was most likely initiated. A spike in traffic of about 3,000 DNS queries is very noticeable for two consecutive days (Jan 29th and Jan 30th), originating from 4,000+ client IPs distributed in 100+ countries. Requests came mostly from the United States, United Kingdom, Canada, Iran and Egypt.
As a matter of fact, the culprit webpage www[.]msnbc[.]msn[.]com-im9[.]net resolved to 12 IPs distributed in 5 ASNs and 4 countries (United States, United Arab Emirates, Cyprus and Switzerland) with a low Time To Live (TTL) of 24 minutes. This is a typical behavior of fast flux domains that try to evade blacklisting and takedown. This is another indication of the malicious intent of this domain.
OpenDNS promptly flagged the malicious domain as phishing, preventing OpenDNS users from accessing the page and having their credentials stolen. The domain com-im9[.]net has been suspended on Feb 2nd, as the following whois info snippet shows:
Domain Name: COM-IM9.NET
Registrar: CENTER OF UKRAINIAN INTERNET NAMES
Whois Server: whois.ukrnames.com
Referral URL: http://www.ukrnames.com
Name Server: NS1.PARKED.COM
Name Server: NS2.PARKED.COM
Updated Date: 02-feb-2013
Creation Date: 27-jan-2013
Expiration Date: 27-jan-2014
Moreover, com-im9[.]net stopped resolving on Feb 2nd and DNS queries have been returning nxdomain since then.
Attacks like these are difficult to predict, so we advise our users to exercise caution before clicking on links in unsolicited emails, install the most recent updates of their antivirus and software, and to immediately log out of their email account once they are done using it.