Contact list harvesting - malware ? Facebook ?

[David Beierl]

If you're talking about emails with a short distribution list (including you or some list/forum you belong to), a short or empty subject line, and a short message pointing you to some scumware site - the overwhelming majority of these that I've seen in the last year or so have been sent through the Yahoo webmail system, indicating that they are exploiting cracked Yahoo accounts. The actual originating IPa as reported by Yahoo are from almost anywhere on the globe and are not consistent from one message to the next, suggesting to me that these messages are being pumped into the Yahoo system by compromised PCs.

I *believe* that the compromised Yahoo accounts are also the source of the contact lists, but I don't know for sure.

The subject lines were initially blank, but have gradually gotten more complex. Just today I saw one that addressed the recipient (actually a Yahoo group) as "Dear Orthodox," where Orthodox was the name of the Yahoo group.

Once in circulation these distribution lists can persist for months, even after the offender fixes his Yahoo password.

Almost but not quite all of the ones I've seen have been "From:" a Yahoo email address; but all have been distributed via the Yahoo webmail interface.

Sample size probably a 1-200 over the last year* or so (I'm co-moderator of an 800 member email list and member of many other lists and Yahoo groups).

*For some value of "year" -- I'm very poor with time.