[Dshield] Fake Yahoo Email - Too good looking

Johannes B. Ullrich jullrich at sans.org
Tue Jan 20 05:04:43 GMT 2004


Site is now shut down. Thanks Mark!

NOTE:

We got a bunch of replies from anti virus software
to the prior message. I removed the offending character
from this message.

While it is good that Anit-Virus software catches these
URLs, please DO NOT configure your software to reply to 
email that appears to be infected.



> http://wallet.yahoo.com%00@211.174.60.96/manual/images/
> 
> I pulled an ARIN lookup on the IP and found it to be
> in Korea : KIDC-INFRA-SERVERHOSTING-INEMPIRE
> 
> I have reported this to Yahoo's Security Team. I've
> seen many fakes, but this one I'm sure will catch many
> non-experienced users off-gaurd.
> 
> Happy hunting
> 
> Mark
> 
> Actual Email
> 
> Dear Yahoo! User, 
> We encountered a billing error when attempting to
> renew your Yahoo! service. This type of error usually
> indicates that either the credit card you have on file
> has expired or that the billing address we have is not

-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040120/e1078806/attachment.bin


More information about the list mailing list