Wednesday, April 12, 2006

Searching for IM Phisher

Today I got a instant message from a friend that had a link to a geocities web page. On this page, there is a caption that says "View My Pics" and a box that appears to be a Yahoo! login form. If you type your username / password and click on Submit, guess what happens? You've been friggin' jacked! You have officially been introduced to the wild and wacky world of phishing.

There is nothing new about phishing. I have received dozens of emails trying to get me to enter my eBay or PayPal passwords. The only thing different about this scam is instant messenger based AND viral.

What is happening is this:
  • Someone sent out a bunch of IM's to a bunch of Yahoo! IM users.
  • The message contained a link to a page that has a fake Yahoo! login form.
  • When the victim enters their username/password and logs in, the username/password is captured and emailed to the perpetrator.
  • The phisher takes the list of usernames and passwords and sends it to a bot that logs in as each of the victims.
  • The bot downloads the victim's Yahoo! contact list.
  • The exact same IM message is sent to everyone in the hacked Yahoo user's contact list.
  • The phisher proceeds to "Rinse and repeat".
The golden rule is...
NEVER ENTER YOUR USERNAME AND PASSWORD ON A WEBSITE VIA A LINK THAT SOMEONE SENDS YOU! You should always follow the rules below when submitting your username and password to a web site:
  • Never click on a link in an IM or email and then login.
  • Never login from a URL that has a different web site address than the site you are trying to log in at. For example, do not log in from http://br.geocities.com when you are trying to log in at http://www.yahoo.com. It is possible that the www may be different, but be VERY weary of a site where the last two parts (following the last two periods) of the web site name are different.
  • If you are trying to log in to www.google.com, then the following urls may be ok:
    • www.google.com
    • login.google.com
    • user-login.google.com
    • authenticate.google.com
  • If you are trying to log in to www.google.com, then the following urls are probably phishers:
    • www.googlelogin.com
    • login.googlesite.com
    • www.blogspot.com
    • www.geocities.com
Phishers are getting more and more aggressive and you need to be on high alert before you type your username and password and click submit. Always make sure you know what site you are logging into before clicking that submit button. In this case, I did not fall victim to the phishing attempt, but two of my friends did. Luckily, the phishing bot did not change the victims' passwords.

I reported the phisher to Yahoo!'s phishing crew (phishing-abuse@cc.yahoo-inc.com). The link is now dead.

If you aren't familiar with phishing, then you can read more about it on Wikipedia:
http://en.wikipedia.org/wiki/Phishing



0 Comments:

Post a Comment

<< Home