Attackers, willing to do anything to hijack webmail accounts to boost their spam campaigns, are bypassing the traditional Web login interface page to seek out a backdoor into accounts.
Those attackers have targeted Yahoo and are successfully cracking account passwords by focusing automated password cracking scripts on a Yahoo Web services-based authentication application thought to be used by Internet service providers (ISPs) and third-party Web applications.
That was the finding of the Web Application Security Consortium Distributed Open Proxy Honeypot project, maintained by researchers at Breach Security Inc. The honeypot is tracking an extensive series of brute force attacks successfully targeting account credentials of Yahoo email users.
Brute force password cracking:
How to prevent SSH brute force attacks: Brute force attacks on the Secure Shell (SSH) service have been used more frequently to compromise accounts and passwords.
Ophcrack: Password cracking made easy: Scott Sidel examines the open source security tool Ophcrack, a password cracking tool aimed at ensuring the strength of corporate passwords.
"We've known for years that spammers normally go after the highly visible Web interface in brute force attacks and most webmail providers track how many login attempts are made. It's a good standard practice," said Ryan Barnett, director of application security research at Breach Security. "But this application is not meant for end users and can validate authorization when people [are] trying to login with no access control."
Once cracked, spammers can then use the account to conduct more spamming or perhaps more nefarious activity, such as obtaining personal information of account holders. The method enables spammers to understand the geographic location of their activities, making their spam campaigns more lucrative.
Barnett said it is difficult to gage the size of the brute force attacks, but they have been ongoing. The attackers don't target a single user account. Since the Web services-based authentication application has no anti-automation defense, the attackers set up automated scripts that cycle through common passwords and possible user names.
"[Yahoo] has this authentication application on so many sub-domains," Barnett said. "They've got hundreds of these servers and attackers are distributing their authentication attempts."
Brute force password attacks have been around for years and typically represent the least sophisticated method of breaking into accounts. Barnett said Yahoo has been notified about the latest attacks. The search engine giant uses the Web services authentication application to enable users to type Yahoo passwords into third-party partner Web applications, such as streaming video players.
"We're only seeing a snippet of data that they're sending," Barnett said of the ongoing attacks. "This is just another tactic used by the spammers to expand their campaigns."
Barnett said the Web Application Security Consortium Distributed Open Proxy Honeypot project went live in 2007. The open proxy server lures attackers into pushing traffic through it. Meanwhile, a mod_security Web application firewall (WAF) monitors and reports suspected attack traffic to project participants.
Phase three of the project started this summer, boosting the deployment of sensors from 14 to 60 in July. The project is also increasing its analysis processes, Barnett said. It added Splunk, a log management indexing platform to conduct more robust searching and analysis, he said.