How Hackers Manipulated Yahoo's Systems -- WSJ
March 17 2017 - 3:02AM
Dow Jones News
By Robert McMillan and Deepa Seetharaman
The U.S. criminal charges over a major security breach at Yahoo
Inc. detailed how hackers turned the company's network against its
users and then erased the attackers' digital footprints from the
system.
Authorities said the hackers engaged in an extraordinary spree
of cyber skulduggery, stealing information and sending millions of
spam messages, after attackers obtained access to more than 500
million accounts starting in early 2014.
The attackers specifically targeted accounts of an eclectic
range of individuals -- from investigative reporters to U.S.
technology employees to Russian and U.S. government officials,
according to federal prosecutors and Federal Bureau of
Investigation officials Wednesday. Among the targets: a Nevada
gaming official, a consultant who analyzed Russia's bid for World
Trade Organization membership, and 14 employees of a Swiss
financial firm specializing in bitcoin.
Authorities said one of the hackers, Alexsey Belan, manipulated
the results of some users' searches on Yahoo to direct people to an
online pharmacy that paid Mr. Belan for the traffic.
At the heart of the criminal-information enterprise was an
important Yahoo system called the User Database, U.S. authorities
said. It was a treasure trove of information, containing usernames,
alternative email accounts, phone numbers.
Yahoo had hidden its users' passwords with a technique called
hashing that would have made them hard to decrypt. But the hackers
didn't need that information, the indictment unveiled Wednesday
said. By stealing a set of unique, near-random numbers attached to
Yahoo accounts, they were able to create bogus versions of files
called session cookies.
In the hackers' hands, these session cookies tricked Yahoo's
servers into thinking that legitimate users who had previously
logged in to their accounts were returning to the site.
The hackers also accessed Yahoo's Account Management Tool, which
the company used to manage and edit the User Database. Combining it
with the database, the hackers could identify backup email accounts
users' had elsewhere -- effectively creating a map of the companies
or organizations where Yahoo users may have worked. They got access
to the contents of more than 6,500 Yahoo accounts, and then used
that information to break into others, including those belonging to
diplomats, lawmakers and technology employees, the FBI said.
Separately, Mr. Belan used his virtual cookie factory to access
more than 30 million Yahoo accounts to steal contact information
and send spam, the FBI said. He also searched through Yahoo
accounts for Google and Apple Inc. passwords, credit-card
information and gift-card data, searching for phrases such as
"amex," "Google," or "itunes...account," the FBI said.
Perhaps the most remarkable feat was Mr. Belan's alleged
hijacking of Yahoo Search.
A person briefed on the matter said that Mr. Belan altered the
code on a small set of Yahoo's servers, allowing him to change the
results that appeared when users searched for prescription drugs
for erectile dysfunction,
Users were redirected to an online Canadian pharmacy when they
typed in one of three search phrases, according to the person, who
added that the results were altered for two weeks in November
2014.
The precise keywords couldn't be learned. It wasn't clear how
many times those keywords were searched or how prominent the links
were in the results. It is also unclear what layer of the search
server Mr. Belan targeted and if he was able to reach Yahoo's
underlying search algorithms.
One theory is that Mr. Belan attacked the so-called middleware,
or the software that takes the results of the search servers and
feeds them to the user, cybersecurity experts said. Mr. Belan may
have also been able to accomplish this by attacking the paid search
auction results and putting the fraudulent links at the top of the
list.
Mr. Belan, who has been on the FBI's most-wanted hackers list
since 2012, was arrested in Europe in 2013 but escaped to Russia
before he could be extradited, the Justice Department said. He
couldn't be reached for comment Wednesday. A Russian official said
Washington hadn't consulted Moscow on the case, and suggested the
allegations were related to domestic politics in the U.S.
The indictment doesn't make clear how the hackers were able to
get into Yahoo's systems. Their attack, which Yahoo first disclosed
this past September, is one of two massive breaches at the internet
company. The charges don't cover the second one, which occurred in
2013 and affected more than one billion accounts. In that earlier
attack, the hackers sold a massive database of Yahoo usernames and
passwords, which were protected by weaker cryptographic techniques
than the 2014 data, according to the security-research firm
InfoArmor Inc.
Write to Robert McMillan at Robert.Mcmillan@wsj.com and Deepa
Seetharaman at Deepa.Seetharaman@wsj.com
(END) Dow Jones Newswires
March 17, 2017 02:47 ET (06:47 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Mar 2024 to Apr 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Apr 2023 to Apr 2024