[Dshield] Fake Yahoo Email - Too good looking

Mark markt442 at yahoo.com
Tue Jan 20 00:57:09 GMT 2004

Got an email today from Yahoo, seems they have a
problem with my credit card and are cutting me off.
Funny, I don't subscribe to "pay" services with Yahoo,
and hey, it's in my "Bulk Mail" folder - indicating
Yahoo thinks it is SPAM.

The scary thing about this email (below) is there are
no obvious spelling errors, the graphics and URLs
appear to be genuine (when read with MSIE).

Linking to the site (nice with a VMWare system), the
URL is "masked" to http://wallet.yahoo.com; but
actually goes to: 

I pulled an ARIN lookup on the IP and found it to be

I have reported this to Yahoo's Security Team. I've
seen many fakes, but this one I'm sure will catch many
non-experienced users off-gaurd.

Happy hunting


Actual Email

Dear Yahoo! User, 
We encountered a billing error when attempting to
renew your Yahoo! service. This type of error usually
indicates that either the credit card you have on file
has expired or that the billing address we have is not

This is your final notice. Please take a moment to
update your credit card information by clicking here
and submitting your information. 

Please note that we will attempt to renew your service
five days from today. If we are still unable to charge
your credit card at that time, your service will be

Yahoo! Billing Department 

Hyperlink appears to go to: http://wallet.yahoo.com

But actually goes to: 

Header Info (areas concerning my account deleted)

X-Apparently-To: @yahoo.com via; Mon,
19 Jan 2004 10:58:43 -0800 
Return-Path: <support at yahoo-services.com> 
Received: from (HELO
fia195-76.dsl.hccnet.nl) ( by
mta113.mail.sc5.yahoo.com with SMTP; Mon, 19 Jan 2004
10:58:37 -0800 
Received: from yahoo-services.com (yahoo-services.com
[]) by fia195-76.dsl.hccnet.nl
(Postfix) with ESMTP id 799A102731 for
<markt442 at yahoo.com>; Mon, 19 Jan 2004 13:56:30 -0500 
From: "Saleswoman S. Antony"
<support at yahoo-services.com>  Add to Address Book 
To: "Markt" <@yahoo.com> 
Subject: Important Information Regarding Your Account
Date: Mon, 19 Jan 2004 13:56:30 -0500 
<100001c3debd$277862fd$ffb38fb7 at yahoo-services.com> 
MIME-Version: 1.0 
Content-Type: text/html 
Content-Transfer-Encoding: quoted-printable 
X-Priority: 3 (Normal) 
X-MSMail-Priority: Normal 
X-Mailer: Microsoft Outlook, Build 10.0.3416 
Importance: Normal 
X-MimeOLE: Produced By Microsoft MimeOLE
X-Kaspersky-Antivirus: passed 
Content-Length: 1388 

Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes

More information about the list mailing list