Sunday, September 25, 2016

Not a lot of "yahoo" at YAHOO! - PART II

-snip- update 16 DEC: With the recent announcement of yet another Yahoo! breach, this time in 2013, I no doubt expect that the information below applies to data from 2013, not just the 2014 breach anymore.

Following-on from my previous Blog post, I decided to give more attention to the domains aspect of the Yahoo! data leak.

Side Note: This blog post is not intended to discourage, or force anyone to stop using Yahoo! services. Like any other provider, Yahoo! maintains a high level of security and complies with international laws and best-practices. However, this article does address the issue of data having been leaked in 2014 - which has been confirmed by Yahoo! and tries to provide more insight into persons possibly affected by the leak.

As articles like the one on CNN Money (click here) state, many people may have Yahoo! accounts without even knowing it. A prime example is email hosting that Yahoo! allows you to do via their business email services. This gives you your own email address, while Yahoo! manages all the back-end work.

Similar to how Google allows you to host your domain with Google Apps, Yahoo! allows you to host your domain and thus email and other services with them. What this means of course, is that the login account Yahoo! kept in its database for your "custom" domain was also stolen in the leak.

I decided to do an analysis to see what domains are hosting their services with Yahoo!. The best way for me to achieve this, as someone who loves password cracking, was to use a wordlist of domains - and compare their MX records to see who they host their email with.

My research led me to believe that Yahoo! services for email would point to some or other MX record like the ones below;
  • am0.yahoodns.net
  • mx-biz.mail.am0.yahoodns.net.
The common pattern there is that am0.yahoodns.net is associated with Yahoo! accounts - in particular email since we are looking at MX records here.

Using a Wordlist, of 560 000 domain names, I set out to find which are hosting their email at Yahoo!. I already knew of some so I used those to also double-check my script's findings. Keep in mind that this is not necessarily a complete list, since my data source was 560 000 domains, not all domains. 

A Python script was written to perform MX lookups on ALL 560 000 domains and log the ones hosted at Yahoo!. The results of my findings are shown below;

Number of Domains using Yahoo! Email Services

My research shows that at least 572 162* domains are using Yahoo! as their email provider, and thus Yahoo!'s web-based account services and portals.
(* Thanks to Royce Williams (@TychoTithonus on Twitter) for the addition of a large number of domains we added to our Checker. )

Country-Domain Breakdown (or other TLD's)

Which countries are using Yahoo! Email for their domains?

.COM's accounted for the most - 461 911 domains.
Following that was .NET's with 44 128 and .ORG's with 36 150.


Note: Only countries with 10+ domains where counted, there are many more in the 1-10 category.


The USA is in the graph below, as there were too many to include with other countries.



Clearly, the .COM market is Yahoo!'s major driver in hosted domains.

Interesting findings of domains hosted include Churches, Medical Companies,  a lot of Legal Firms, Online Stores and Pharma companies.

Is my Domain on Yahoo!'s platform?

I did not want to release the list of domains I found to be pointing to Yahoo!'s mail services. So I therefore decided rather to allow user's to be able to search for their domain in my list and see if its hosted with Yahoo!. 

You can do that here : http://yahoocheck.bitcrack.net

If your domain is hosted with Yahoo!, and you used it on or before 2014, there is a chance your data was compromised in the leak.

Conclusion

It is clear, that with the stolen login information, attackers have had 2 years to not only get into @yahoo.com accounts but also a vast array of domains belonging to other companies and organizations. Clearly, a major impact for people and companies  - the impact of which may only be realized much later on. 



-Dimitri Fousekis (@rurapenthe0)
Dimitri is Chief Technology Officer at Bitcrack Cyber Security.