Yahoo Messenger password scam warning
Note: I have kept the earlier, inaccurate, post title because this post gets a lot of traffic via search and has been linked to here and there, so I don't want to change the permalink. Though I hope the subhead in larger type makes things clearer.
It happens via Yahoo messenger.
You get a message, apparently from someone on your list. So far, I haven't been able to check if it's someone who's fallen for this, and whose account is being used, or a spoofed send.
Proof? Just dump in any arbit name and password. It will seem to accept it (if you look quickly at your status bar, you'll see the page sending to another site).
Just a little while ago, I got what looked like a message from a pal. It didn't sound like him in the least, so my antennae were up. (Besides, a friend told me a few days ago she'd just got hit by a password-stealer, so I guess I was a little wary.)
Clicked the link, and it was as I described it above. Here it is: http://www.geocities.com/hot_pretty_belle/
And in case it's not up, here's a screen grab:
I did a little "view source" and here's what the form looks like underneath the hood. (I have the complete page saved, if one of you techwizards wants it. Just get in touch.)
*see update 2 below
(If the code in the image doesn't make sense to you, here's the skinny: when you hit "enter", the page sends your Yahoo ID and password to hot_pretty_belle, or whoever else has set up the page.)
Now that you know, want to have a little fun? Fill in username and password fields with language mama would have washed your mouth out with soap for. And hit enter. hot_pretty_belle (or whoever you next encounter trying this stunt) will get lots of piping hot email.
Be warned. You'll get another page offering you another sign in button. And a Sign Up button, which, on click, gives you a genuine-looking Yahoo sign up page. Just loook up at the URL. Too tired to go see that bit of source code now, so will leave it to you tech-adepts.
I'm going to wait a day before reporting this to Yahoo, so go send that hot_pretty_belle your love!
And do pass this on. No, you don't need to credit me. Well, if you insist. I'm a slut for link love.
Did a bit of research, and found out what happen if you enter a genuine Yahoo ID and password and click through.
The page records your ID and password, then forwards you to the real Yahoo Photos site. You (: if you hadn't read this :) would have just muttered imprecations about the dorkiness of the pal who didn't give you proper links.
And a few minutes later, you would have got a message from Y!M saying "You have been signed off Yahoo because you signed in from another location."
This has been happening quite often, so it's not much point remembering specific URLs, like hot_pretty_belle. Just remember the method.
Thanks to ViswaPrabha and Prashanth, who told the doofus - me - that even with angle brackets html-ised to show up on the page, the script would send comments on this post (and possibly blogger ID and password! shudder!) to the black hats who run the page I referred to. So, text removed and replaced with an image, and now it will behave like a normal, harmless blogger page.
I, for once, am glad that no one commented!
Many Thanks, VP and Prashanth.
Update 2 - 9th July 2006
Please see this diary entry at SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System and this entry on the McAfee Avert Labs Blog. The SANS page points out a development that didn't exist when I wrote this post: