The Yahoo / Wordpress rootkit virus is one of the most widespread. And it seems that users of smart phones are the most caught by this. When users receive a rogue email via their computer they are less likely to click on the rogue link it contains. But with a smart phone it is all too easy to click on a link in an email and not realise the consequeces. It works like this: Yahoo Mail users receive a short one line email saying something like: "Hello - I found this, it is amazing, click here." The 'click here' link goes to a rogue website of which there are hundreds (thousands?). Clicking on this link sends the unwitting user to a rogue website. This does a number of things: 1/ It installs the virus code onto the user's device - the code is written in XML or Javascript and well embedded into the rootkit of the device - hence the name - and it replaces some system files with identically named ones making it difficult to spot and remove - and since it is written in XML / Javascript the virus is undetected by most virus protections apps 2/ It copies and sends the user's contact list to the scammers - it does not 'hack' the email account per se, the user is already logged in - so changing the password afterwards is of no use 3/ The virus then sits there on the user's device generating identical copies of the original email and sending them out to his/her contacts 4/ With the user's contact list the criminals can later send out further emails along the lines of "so and so has made a surprise visit overseas, has lost his/her passport, is ill in hospital, please send cash to this account number ..." - the account number of course belongs to the scammers There are many variants of this virus. The code is available on the Dark Web for a couple of hundred bucks. It is populuar with bored script kiddies at colleges. It can be removed by Kasperky's TDSSKILLER - but needs to be run on all computers AND devices such as smart phones that have been used to access the email account affected. A relative of mine gave me a hard time when a TDSSKILLER scan didn't find anything on his computer. The virus was actually on his phone. Both were used for sending / receiving Yahoo emails from the same account. This virus has been around for years. It is reportedly due to a weakness in the cookies used by Yahoo Mail and Wordpress. Nothing has been done about it.
|