Yahoo phish caught in action

Many customers and journalists have been asking if I have any sample phishes that could be representative of the disclosed usernames and passwords this week. A colleague of mine actually received one today and I thought I would share it with you.

Here is the body as it appears to the recipient:
Capture of Yahoo phishing email

Looks innocent enough, although it does seem a bit strange that Yahoo! is worried about me having more than 18 megabytes in my mail account when they offer unlimited email space… This is a very unsophisticated phish as they expect you to email them back your credentials.

Image of Reply To: headerYou would expect to notice when replying that the address you are are emailing is “”. This is a bit more common, which is to create a free mail account that looks like it could be an administrative username or to use an unfamiliar country code as a suffix.

Image of Received header
This is the major tip that this message is not legitimate. You will note that the sending server is in Bulgaria. Yet the Yahoo! address is from Hong Kong. The sending account is also a webmail account that is hosting Horde Imp a popular webmail application for ISPs.

So if we piece this all together we have an email purportedly from that wants you to send your credentials to that was sent from a webmail server in Bulgaria. Smells very phishy to me.

I feel like a record that skips, but reset your passwords, never disclose your credentials via email, and only change or submit your password to sites you intentionally visit for that purpose. Even this may not be enough protection if your anti-virus isn’t up to date, so be sure to follow safe computing practices.

We have seen trojans before that will change your hosts file to direct well known domains to phishing sites.