“We were not able to replicate the attack successfully. We have been in touch with Yahoo! about this problem. They, too, were unable to replicate this attack successfully at that time. However, to protect users against any such problems Yahoo! has strengthened their filters that sanitize user emails in order to protect against these kinds of attacks,” Trend explained in a blog post.
Last summer, Yahoo improved security after a similar attack targeted their users, and Google revealed that attackers were targeting a flaw in MHTML in order to attack journalists and activists, who were targeted via Facebook. Around the same time in Taiwan, a Phishing attack exploited vulnerabilities in Hotmail, which would lead to account compromise so long as the malicious message was viewed.
Clearly, as Trend notes, criminals are no strangers to using vulnerabilities in hosted applications “in order to compromise Webmail accounts, to monitor communications, and to gain information in order to stage future attacks.”
“It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own. As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened.”