Yahoo! user account phishing

Published: 2006-07-06
Last Updated: 2006-07-06 00:10:23 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

One of our readers, Bill, recently sent us some information about a fairly decent phishing web site.
The web site, which you can see below, is actually hosted on Geocities. The URL will immediately alert any user that knows what he's looking for (and this is why we can not stress enough how important user awareness and education is).
As you can see below, the design is fairly good, and if you don't check the URL, you might be fooled into entering your credentials here.





There are couple of issues here about which we wrote recently (http://isc.sans.org/diary.php?storyid=1277). While we were looking at bank web sites in the original diary by Johannes, we have a similar problem here. Although the credentials are transferred over the network securely (using SSL), the front web page seems to be plain HTTP.
A typical user doesn't know how to check what's happening once he clicks on the "Login" button, so it's very easy to launch phishing attacks like this on them.
That's why you should always use SSL on the front web page at least (yes, there are other numerous attacks on this, but let's stick to this subject for this moment).

Back to the phishing web page. Once a user tries to log in, his credentials are sent to a CGI script on a remote site which then (probably) e-mails this to the attacker.
The last interesting thing is related to obfuscation of the HTML. The attacker decided to use a product called HTML Protector. This tool basically just obfuscates HTML code using JavaScript but as a browser needs to be able to parse the HTML code, the unobfuscation function always has to be present, so with some spare time you can easily unobfuscate this.

Keywords:
0 comment(s)

Comments


Diary Archives