Hackers are stealing Yahoo accounts by sending messages containing malicious web page links.
The message looks like a link to a web page on MSNBC. But if an unsuspecting user clicks on it, it redirects to another page that steals the e-mail account, allowing the hacker to use the account to send spam, or grab the account’s contact list.
The gory details are here.
This is precisely why links in e-mail messages make me uncomfortable. Specifically, it’s Yahoo that has the problem right now, but the same technique can be used to exploit a problem in any other mail platform, too.
I only click on a link after hovering over it and examining the link in the lower left-hand side of my browser window. If the description and the link in the lower left don’t match, I don’t click. Period.
My workaround is to copy the link, paste it into Notepad, then paste the link into my browser window. It takes a few seconds, but that’s trivial compared to the amount of time it takes to get a compromised e-mail account back.
Having been accused of owning a hijacked e-mail account before, I know how reputation-damaging it is. It turned out the Klez worm had found my e-mail address at a previous employer and was spoofing messages with that address. The address had ceased to exist years before the incident, but I still had to investigate, and then do damage control.
Trust me, copying and pasting links before clicking on them is a lot easier than that.
In a perfect world, e-mail software would be configured to not allow you to send e-mail containing an attachment or a hyperlink without digitally signing it to verify its authenticity, and to discard any incoming e-mail containing a hyperlink or an attachment that isn’t digitally signed. That’s not possible without universal two-factor authentication, so until we get universal two-factor authentication, we have to be very careful what we do.