[Dshield] Fake Yahoo Email - Too good looking

Mark markt442 at yahoo.com
Tue Jan 20 00:57:09 GMT 2004


Got an email today from Yahoo, seems they have a
problem with my credit card and are cutting me off.
Funny, I don't subscribe to "pay" services with Yahoo,
and hey, it's in my "Bulk Mail" folder - indicating
Yahoo thinks it is SPAM.

The scary thing about this email (below) is there are
no obvious spelling errors, the graphics and URLs
appear to be genuine (when read with MSIE).

Linking to the site (nice with a VMWare system), the
URL is "masked" to http://wallet.yahoo.com; but
actually goes to: 
http://wallet.yahoo.com%00@211.174.60.96/manual/images/

I pulled an ARIN lookup on the IP and found it to be
in Korea : KIDC-INFRA-SERVERHOSTING-INEMPIRE

I have reported this to Yahoo's Security Team. I've
seen many fakes, but this one I'm sure will catch many
non-experienced users off-gaurd.

Happy hunting

Mark

Actual Email

Dear Yahoo! User, 
We encountered a billing error when attempting to
renew your Yahoo! service. This type of error usually
indicates that either the credit card you have on file
has expired or that the billing address we have is not
current.  

This is your final notice. Please take a moment to
update your credit card information by clicking here
and submitting your information. 

Please note that we will attempt to renew your service
five days from today. If we are still unable to charge
your credit card at that time, your service will be
terminated.   

Sincerely, 
Yahoo! Billing Department 

Hyperlink appears to go to: http://wallet.yahoo.com

But actually goes to: 
http://wallet.yahoo.com%00@211.174.60.96/manual/images/

Header Info (areas concerning my account deleted)



X-Apparently-To: @yahoo.com via 216.136.131.77; Mon,
19 Jan 2004 10:58:43 -0800 
X-YahooFilteredBulk: 62.251.76.195 
Return-Path: <support at yahoo-services.com> 
Received: from 62.251.76.195 (HELO
fia195-76.dsl.hccnet.nl) (62.251.76.195) by
mta113.mail.sc5.yahoo.com with SMTP; Mon, 19 Jan 2004
10:58:37 -0800 
Received: from yahoo-services.com (yahoo-services.com
[129.120.248.100]) by fia195-76.dsl.hccnet.nl
(Postfix) with ESMTP id 799A102731 for
<markt442 at yahoo.com>; Mon, 19 Jan 2004 13:56:30 -0500 
From: "Saleswoman S. Antony"
<support at yahoo-services.com>  Add to Address Book 
To: "Markt" <@yahoo.com> 
Subject: Important Information Regarding Your Account
MXol6W 
Date: Mon, 19 Jan 2004 13:56:30 -0500 
Message-ID:
<100001c3debd$277862fd$ffb38fb7 at yahoo-services.com> 
MIME-Version: 1.0 
Content-Type: text/html 
Content-Transfer-Encoding: quoted-printable 
X-Priority: 3 (Normal) 
X-MSMail-Priority: Normal 
X-Mailer: Microsoft Outlook, Build 10.0.3416 
Importance: Normal 
X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2800.1123 
X-Kaspersky-Antivirus: passed 
Content-Length: 1388 


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus




More information about the list mailing list