?

Log in

No account? Create an account

Previous Entry | Next Entry

Phishing alert!

Today I received an email claiming to be from Yahoo Alerts. And it's scary how well they're pretending; I truly believed it was an official Yahoo email until they asked for my password. Here is a copy of the email:

Important Information Regarding Your yahoo Account
Tuesday, June 30, 2009 5:51 AM
From: "Yahoo! Alert" <alert@cc.yahoo-inc.com>
To: undisclosed-recipients

Dear User,

We are sorry to inform you that we are currently working on securing our
server, during this process account which is not manually verified by us will
be deleted, Please confirm and submit your information for manual verification
by one of our customer care.

Information which is to be provided is below:
User Name:
User Id:
Password:
Date Of Birth:
Country (At Sign up):

Upon confirmation of information from you, we will manually verify your Yahoo!
Account and reserve it not to be deleted, We are sorry for any inconveniences
this might have cause providing your information over the email.

Warning!!! Account owner that refuses to update his/her account after two
weeks of receiving this warning will lose his or her account permanently.
______________________________________________________________________________

Copyright © 2009 Yahoo! Inc. All rights reserved. Copyright/IP Policy | Terms
of Service | Guide to Online Security

NOTICE: We collect personal information on this site.

To learn more about how we use your information, see our Privacy Policy.


Damn, these phishing bastards are getting good. I almost fell for it, if not for the knowledge that no one ever needs your password for anything legitimate. I have reported it to phishing@cc.yahoo-inc.com . But it's so good a scam that even now I'm wondering if I'm wrong.

Comments

( 20 comments — Leave a comment )
kengr
Jul. 1st, 2009 12:58 am (UTC)
"yahoo-inc.com" ain't yahoo.

Also, always check the full headers of suspicious emails. Remind me tomorrow, and we can try to see how you do that on yahoo and gmail.
fayanora
Jul. 1st, 2009 01:07 am (UTC)
Actually, cc.yahoo-inc.com IS one of Yahoo's official things. Because I got the email for reporting phishing from Yahoo itself, their security page. Check both emails, you'll see the ending ( @cc.yahoo-inc.com ) are the same. Which makes me wonder how the phishers did that.

LOL! Gmail is so secure that not only did it tell me that the only reason it didn't send the notification of your reply to the spam folder was because of a filter I created, but it wouldn't let me use the reply form OR the links. I had to start a new tab and come over to the comment page for this entry before I could reply. Cool!
kengr
Jul. 1st, 2009 03:26 am (UTC)
The "From:" may say "yahoo-inc", but I bet you the Received lines don't!
fayanora
Jul. 1st, 2009 03:41 am (UTC)
Received lines?
kengr
Jul. 1st, 2009 05:15 am (UTC)
Here's what the *raw* version of the LJ email notifying me of your comment looks like:



Return-Path: <lj_notify@livejournal.com>
Received: from livejournal.com (livejournal.com [208.93.0.128])
	by draq.pmaco.net (8.10.2/8.10.2) with ESMTP id n613fVi10636
	for <brooke@shadowgard.com>; Tue, 30 Jun 2009 20:41:31 -0700
Received: from localhost (theschwartz [127.0.0.1])
	by livejournal.com (TheSchwartzMTA) with ESMTP id 4fd301cf556f9f49c66885616e528380003080912081;
	Wed, 1 Jul 2009 03:41:37 +0000 (UTC)
Content-Transfer-Encoding: binary
Content-Type: multipart/alternative; boundary="_----------=_124641969666610"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.01 (F2.72; A1.62; B3.04; Q3.03)
Date: Wed, 1 Jul 2009 03:41:36 UT
From: "fayanora - LJ Comment" <lj_notify@livejournal.com>
To: brooke@shadowgard.com
Subject: Reply to your comment...
Message-Id: <comment-4221009-2945032@livejournal.com>
In-Reply-To: <comment-4221009-2944520@livejournal.com>
References: <entry-4221009-491784@livejournal.com> <comment-4221009-2944520@livejournal.com>
X-Lj-Journal: fayanora
X-MailScanner: Draq: Found to be clean
X-PMFLAGS: 570970368 0 1 PX54Y2U5.CNM                       

This is a multi-part message in MIME format.

--_----------=_124641969666610
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Your limitations and prejudices are NOT mine (fayanora) replied to a
comment you left in a LiveJournal post
(http://fayanora.livejournal.com/491784.html). The comment they replied to
was:

> The "From:" may say "yahoo-inc", but I bet you the Received lines don't!

Their reply was:

  Received lines?

>From here, you can:

  - View the thread starting from this comment:
    http://fayanora.livejournal.com/491784.html?thread=3D2945032
  - View the entire thread this comment is a part of:
    http://fayanora.livejournal.com/491784.html?thread=3D2943752#t2943752
  - View all comments to this entry:
    http://fayanora.livejournal.com/491784.html
  - Reply at the webpage:
    http://fayanora.livejournal.com/491784.html?replyto=3D2945032

--_----------=_124641969666610--




Se those Received: lines up near the top> They get added to the (*start* of the message by each system it passes thru.

If you look at the full headers for thayt spam, you'd find that the lowest received line doesn't show it as coming from Yahoo.
fayanora
Jul. 1st, 2009 05:39 am (UTC)
I tried looking at the source of the email and I can't tell where the email itself begins in all that source code junk, or if it's even in there at all.
kengr
Jul. 1st, 2009 06:09 am (UTC)
That's not "source". That's what an email message *actually* looks like. The programs you are used to reading mail with hide lots of that stuff so as to make it easier for (l)users to read.
fayanora
Jul. 1st, 2009 06:22 am (UTC)
So enlighten me how I find this received line?
kengr
Jul. 1st, 2009 06:13 am (UTC)
Everything from:
Return-Path: <lj_notify@livejournal.com>


to
X-PMFLAGS: 570970368 0 1 PX54Y2U5.CNM


is the message header. You can tell because the header ends with the first blank line. After that is the body of the message.

If we can figure out how to get yahoo or gmail to show raw messages, I'll explain it all to you.
fayanora
Jul. 1st, 2009 06:23 am (UTC)
What I posted in the original post is the only information the page for that email gives me.
kengr
Jul. 1st, 2009 06:30 am (UTC)
Just checked. If it's on gmail, click the little downward pointing triangle just to the right of Reply.

That brings up a menu. Select "show original".

fayanora
Jul. 1st, 2009 06:34 am (UTC)
Already figgered that out, but thanks. Also, figured out Yahoo doesn't have anything like it.
kengr
Jul. 1st, 2009 07:38 am (UTC)
We'll check tomorrow. I bet they do. It's *needed* for tracking spam.
fayanora
Jul. 1st, 2009 06:24 am (UTC)
I think Gmail lets us see that info if we need it, but I don't think Yahoo does.
fayanora
Jul. 1st, 2009 06:25 am (UTC)
Just confirmed: Gmail has a "show original" link that gives me that info you were talking about. Now trying to see if Yahoo has something similar.
fayanora
Jul. 1st, 2009 05:40 am (UTC)
PS
But it makes sense that if the spammers can make something look like it's coming from me, they can make it look like it's coming from somewhere legit.
slurmqueen
Jul. 1st, 2009 01:21 am (UTC)
Any time you get an email like that, read through it very, very carefully. The more spelling/grammatical errors there are, the more likely it is a phishing scam. I spotted a dozen. Good on you for reporting it!
kengr
Jul. 1st, 2009 03:27 am (UTC)
Alas, real business email have poor grammar as well.

Heck, my *bank* used to send out email with stuff like "click this link to update your info". And they just didn't understand why that was a bad idea... :-(
slurmqueen
Jul. 1st, 2009 09:49 am (UTC)
Now, this is true! I'm sorry your bank did that, hopefully they caught on to the fact that it was a bad idea and gave up on that method.
(Deleted comment)
fayanora
Jul. 1st, 2009 12:04 pm (UTC)
Santa Claus has a massive teleportation device. He teleports the toys into their proper houses on Xmas, and then controls the minds of parents/guardians to have them arrange the presents properly. It's such a massive undertaking, that that is why Christmas only happens once a year.

:-)
( 20 comments — Leave a comment )

Profile

mourning
fayanora
The Djao'Mor'Terra Collective
Fayanora's Web Site

Latest Month

August 2019
S M T W T F S
    123
45678910
11121314151617
18192021222324
25262728293031

Tags

Powered by LiveJournal.com
Designed by Taichi Kaminogoya