[Dshield] Fake Yahoo Email - Too good looking

jayjwa jayjwa at atr2.ath.cx
Wed Jan 21 02:05:12 GMT 2004



On Mon, 19 Jan 2004, Mark wrote:

> Subject: [Dshield] Fake Yahoo Email - Too good looking

> Got an email today from Yahoo, seems they have a
> problem with my credit card and are cutting me off.
> Funny, I don't subscribe to "pay" services with Yahoo,
> and hey, it's in my "Bulk Mail" folder - indicating
> Yahoo thinks it is SPAM.

> URL is "masked" to http://wallet.yahoo.com; but
> actually goes to:
> http://wallet.yahoo.com%00@211.174.60.96/manual/images/

The "@" sign is a dead give-away. It's kinda like a mini-login; to the
real site. That URL probably conveys to the people that set it up "We've
got another one, this one got caught by our 'Take Your Wallet' Yahoo.com
scam" =) Also, HTTP is clear-text transmission. I can't think of any
legit site that asks their users to send credit card info across the
insecure internet in clear-text. I'd at least assume to see a HTTPS, and
some recognized CA signing at the other end too.

> Dear Yahoo! User,
> We encountered a billing error when attempting to
> renew your Yahoo! service. This type of error usually
> indicates that either the credit card you have on file
> has expired or that the billing address we have is not
> current.
>
> This is your final notice. Please take a moment to
> update your credit card information by clicking here
> and submitting your information.

Final notice? Where was the 1st, 2nd, 3rd ;-P

Headers can be tricky, but if you can read them it's hard to slip
something past you. You may want to take a minute or two to read up on
spotting bogus headers- it may help you again in the future, I'd bet on
it.

> X-Apparently-To: @yahoo.com via 216.136.131.77; Mon,
> 19 Jan 2004 10:58:43 -0800
> X-YahooFilteredBulk: 62.251.76.195
> Return-Path: <support at yahoo-services.com>
> Received: from 62.251.76.195 (HELO
> fia195-76.dsl.hccnet.nl) (62.251.76.195) by
> mta113.mail.sc5.yahoo.com with SMTP; Mon, 19 Jan 2004
> 10:58:37 -0800
> Received: from yahoo-services.com (yahoo-services.com
> [129.120.248.100]) by fia195-76.dsl.hccnet.nl
> (Postfix) with ESMTP id 799A102731 for
> <markt442 at yahoo.com>; Mon, 19 Jan 2004 13:56:30 -0500
> From: "Saleswoman S. Antony"
> <support at yahoo-services.com>  Add to Address Book
> To: "Markt" <@yahoo.com>
> Subject: Important Information Regarding Your Account
> MXol6W
> Date: Mon, 19 Jan 2004 13:56:30 -0500
> Message-ID:
> <100001c3debd$277862fd$ffb38fb7 at yahoo-services.com>
> MIME-Version: 1.0
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.3416
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE
> V6.00.2800.1123
> X-Kaspersky-Antivirus: passed
> Content-Length: 1388


[jayjwa]RLF#37






More information about the list mailing list