By Robert McMillan and Deepa Seetharaman 

The U.S. criminal charges over a major security breach at Yahoo Inc. detailed how hackers turned the company's network against its users and then erased the attackers' digital footprints from the system.

Authorities said the hackers engaged in an extraordinary spree of cyber skulduggery, stealing information and sending millions of spam messages, after attackers obtained access to more than 500 million accounts starting in early 2014.

The attackers specifically targeted accounts of an eclectic range of individuals -- from investigative reporters to U.S. technology employees to Russian and U.S. government officials, according to federal prosecutors and Federal Bureau of Investigation officials Wednesday. Among the targets: a Nevada gaming official, a consultant who analyzed Russia's bid for World Trade Organization membership, and 14 employees of a Swiss financial firm specializing in bitcoin.

Authorities said one of the hackers, Alexsey Belan, manipulated the results of some users' searches on Yahoo to direct people to an online pharmacy that paid Mr. Belan for the traffic.

At the heart of the criminal-information enterprise was an important Yahoo system called the User Database, U.S. authorities said. It was a treasure trove of information, containing usernames, alternative email accounts, phone numbers.

Yahoo had hidden its users' passwords with a technique called hashing that would have made them hard to decrypt. But the hackers didn't need that information, the indictment unveiled Wednesday said. By stealing a set of unique, near-random numbers attached to Yahoo accounts, they were able to create bogus versions of files called session cookies.

In the hackers' hands, these session cookies tricked Yahoo's servers into thinking that legitimate users who had previously logged in to their accounts were returning to the site.

The hackers also accessed Yahoo's Account Management Tool, which the company used to manage and edit the User Database. Combining it with the database, the hackers could identify backup email accounts users' had elsewhere -- effectively creating a map of the companies or organizations where Yahoo users may have worked. They got access to the contents of more than 6,500 Yahoo accounts, and then used that information to break into others, including those belonging to diplomats, lawmakers and technology employees, the FBI said.

Separately, Mr. Belan used his virtual cookie factory to access more than 30 million Yahoo accounts to steal contact information and send spam, the FBI said. He also searched through Yahoo accounts for Google and Apple Inc. passwords, credit-card information and gift-card data, searching for phrases such as "amex," "Google," or "itunes...account," the FBI said.

Perhaps the most remarkable feat was Mr. Belan's alleged hijacking of Yahoo Search.

A person briefed on the matter said that Mr. Belan altered the code on a small set of Yahoo's servers, allowing him to change the results that appeared when users searched for prescription drugs for erectile dysfunction,

Users were redirected to an online Canadian pharmacy when they typed in one of three search phrases, according to the person, who added that the results were altered for two weeks in November 2014.

The precise keywords couldn't be learned. It wasn't clear how many times those keywords were searched or how prominent the links were in the results. It is also unclear what layer of the search server Mr. Belan targeted and if he was able to reach Yahoo's underlying search algorithms.

One theory is that Mr. Belan attacked the so-called middleware, or the software that takes the results of the search servers and feeds them to the user, cybersecurity experts said. Mr. Belan may have also been able to accomplish this by attacking the paid search auction results and putting the fraudulent links at the top of the list.

Mr. Belan, who has been on the FBI's most-wanted hackers list since 2012, was arrested in Europe in 2013 but escaped to Russia before he could be extradited, the Justice Department said. He couldn't be reached for comment Wednesday. A Russian official said Washington hadn't consulted Moscow on the case, and suggested the allegations were related to domestic politics in the U.S.

The indictment doesn't make clear how the hackers were able to get into Yahoo's systems. Their attack, which Yahoo first disclosed this past September, is one of two massive breaches at the internet company. The charges don't cover the second one, which occurred in 2013 and affected more than one billion accounts. In that earlier attack, the hackers sold a massive database of Yahoo usernames and passwords, which were protected by weaker cryptographic techniques than the 2014 data, according to the security-research firm InfoArmor Inc.

Write to Robert McMillan at Robert.Mcmillan@wsj.com and Deepa Seetharaman at Deepa.Seetharaman@wsj.com

 

(END) Dow Jones Newswires

March 17, 2017 02:47 ET (06:47 GMT)

Copyright (c) 2017 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Altaba Charts.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Altaba Charts.