H
H
Hungry_Hunter2013-02-22 16:52:02
XSS
Hungry_Hunter, 2013-02-22 16:52:02

Rambler mail XSS vulnerability

A few days ago, my old mail on rambler was stolen from me and passwords were changed on 10+ sites, including Habré.
Unfortunately, it so happened that quite a lot of important sites and ICQ were tied to it.
The hacker gained access using XSS and demanded money. Namely, 1000 rubles.
I paid the money, but in the end, as expected, he did not return anything. Well, God be with them.
During these 3 days I restored access to ICQ, mail and almost all sites where passwords were changed.

But today we have been fighting him all day for my sape account.
He changes passwords and tries to withdraw money from the account.

He does this as follows:
- Puts in my mail a redirect of letters to his mailbox
- Requests password recovery in sape
- Changes the password, makes a request for withdrawal. The amount is ridiculous 160 rubles.

I change the box to which letters are sent to my own, turn off forwarding, but after a while he changes again and puts his email.

Question: How does he do it? Moreover, as I understand it, he cannot change the password on the rambler, otherwise he would have changed it long ago.
In sape, I have already ordered a mailbox change. But still I really want to know how he does it.

PS. I changed the password on the mail by logging in from another computer. The old session is still hanging on the old one and I can use the mail.
It's just a nightmare! Well, who does that?

I called Rambler, asked to reset all sessions. We are waiting for what will happen next.

I also plan to write a statement to the police.

I have:
- His IP (Kyiv and Dnepropetrovsk). Most likely VPN
- Phone number +380 registered about a month ago.
- WMID, registered about a month ago, with a formal passport with BL under a hundred.

Question: Where is the best place to go with all this business?

PS. Is it worth writing an article on how to quickly restore lost access to rambler mail?
Many complain that it takes months.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
H
Hungry_Hunter, 2013-02-23
@Hungry_Hunter

As expected, a call to the rambler with a request to reset all current sessions helped.
In the personal account, this function is not, in fact, like everything else, even binding to the phone.

P
prabhu, 2013-02-22
@prabhu

Have you thought about a Trojan with a keylogger on your PC?

L
Lisio, 2013-02-22
@Lisio

Boot from a live-cd disk, with ubuntu for example, and try to carry out the same operations.

C
cexmet, 2013-02-22
@cexmet

or is it a subtle banter, or idiocy. what other sessions? it is quite obvious that this is a Trojan on your computer.
Where does such childish naivety in relation to Kaspersky come from? there is no antivirus in the world that gives a 100% guarantee. and it is unlikely that such will ever appear.
For me personally, the next steps are obvious:
1. reinstall the system
2. install updates, antivirus, firewall
3. install programs from off-site sites (what is on the disk may already be infected)
4. sequentially change passwords to all resources. secret questions would also be nice to change.
well, for the future - NoScript plugins for ff or chrome, avoid walking on the left sites, links from the mail.

D
Denis Ogurtsov, 2013-02-22
@DenisOgr

We go into the rambler mail on two computers in the same mail.
On one of the computers, we change the password for the mail.
And lo and behold - on the second computer logged in before that, it does not throw it out of the mail, it allows you to read letters.
Thus, being authorized in my mail, after I changed the password, the hacker remained authorized in it.

Weird.
On my sites, I check the username and hash of the user in sessions with the username and hash in the database every time I load the page.
And why do they do it? What's the catch?

Similar questions

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question