phishing with yahoo

Published 03-14-2006 2:40 AM | jokiz

i got an IM from a friend this afternoon telling me of this site:

http://geocities.com/who_wants_my_picture/ (warning, don't supply your user/password)

tried to access the site and saw the yahoo login page.  immediately i realized that it was a phishing site.  out of curiosity, i clicked the signin button and was surprised that it redirected me to yahoo site with my account logged in.  to be safe, i immediately changed my password .  yahoo mail was my primary email for some time now and i don't want anybody messing with it.  i also posted a query in the local forums.

i consulted my friend on why she sent me that page which i think is a phishing site.  she told me that she thinks she was infected by a virus and that virus is responsible for sending the said link to her contacts.  the said virus has been eating her cpu process.

i tried accessing the site once again and this time supplying a bogus username and password.  i can see that the page sends an email in the background and redirects me to the yahoo site.

i was wondering if my credentials was passed the first time i accessed the page.  since i configured yahoo to automatically sign me in, i researched on cookies.  turns out that it was not possible for the geocities site to access the yahoo cookies.  so what just happened is upon redirection, yahoo is the one who used its cookies.  anyone who knows if the yahoo cookies contain encrypted user password in them?

Filed under: ,

Comments

# cruizer said on March 14, 2006 5:50 PM:

i think the first time you accessed the site, it wasn't able to capture your user credentials. the fake yahoo login page just serves to capture your username/password; it can't capture your cookie (because the domains are different). when it redirected you to the real yahoo site (after it captured what you typed in the username/password boxes) of course you were already logged in to yahoo. so there.

matakot ka lang kung itinype mo mismo yun username and password mo dun sa bogus login page! Stick out tongue [:P]

# cruizer said on March 14, 2006 5:54 PM:

oh yeah it's sending emails to

who_wants_my_picture@yahoo.com

spam away folks! Stick out tongue [:P]

# jokiz said on March 14, 2006 6:00 PM:

thanks a lot cruizer for the confirmation.