Yahoo phish caught in action

Filed Under: Spam

Many customers and journalists have been asking if I have any sample phishes that could be representative of the disclosed usernames and passwords this week. A colleague of mine actually received one today and I thought I would share it with you.

Here is the body as it appears to the recipient:
Capture of Yahoo phishing email

Looks innocent enough, although it does seem a bit strange that Yahoo! is worried about me having more than 18 megabytes in my mail account when they offer unlimited email space... This is a very unsophisticated phish as they expect you to email them back your credentials.

Image of Reply To: headerYou would expect to notice when replying that the address you are are emailing is "webmailupgrade001@yahoo.com.hk". This is a bit more common, which is to create a free mail account that looks like it could be an administrative username or to use an unfamiliar country code as a suffix.

Image of Received header
This is the major tip that this message is not legitimate. You will note that the sending server is in Bulgaria. Yet the Yahoo! address is from Hong Kong. The sending account is also a webmail account that is hosting Horde Imp a popular webmail application for ISPs.

So if we piece this all together we have an email purportedly from info@yahoo.com that wants you to send your credentials to yahoo.com.hk that was sent from a webmail server in Bulgaria. Smells very phishy to me.

I feel like a record that skips, but reset your passwords, never disclose your credentials via email, and only change or submit your password to sites you intentionally visit for that purpose. Even this may not be enough protection if your anti-virus isn't up to date, so be sure to follow safe computing practices.

We have seen trojans before that will change your hosts file to direct well known domains to phishing sites.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.