Sunday 30 October 2005

Yahoo password hack warning

Actually, make that:

Yahoo Messenger password scam warning



Note: I have kept the earlier, inaccurate, post title because this post gets a lot of traffic via search and has been linked to here and there, so I don't want to change the permalink. Though I hope the subhead in larger type makes things clearer.

It happens via Yahoo messenger.

You get a message, apparently from someone on your list. So far, I haven't been able to check if it's someone who's fallen for this, and whose account is being used, or a spoofed send.

The message is something along the lines of "see my new pictures." With a Geocities link. When you go to the link, even if you don't know that Geocities is a home page provider and that it was bought over by Yahoo many years ago, you see the reassuring "yahoo" in the URL, a Yahoo logo alongside the Geocities logo, and what looks like a Yahoo photos page that asks you to log in before you can proceed. All the links work, and go to genuine Geocities sign up, Terms and Conditions, Privacy Policies, etc. Except that you don't need a password to view a Geocities page. (Well, yes, you might, if the page owner has locked some pages behind a javascripty thingy or summat, but you won't need yo put in your Yahoo password.)

Proof? Just dump in any arbit name and password. It will seem to accept it (if you look quickly at your status bar, you'll see the page sending to another site).

Just a little while ago, I got what looked like a message from a pal. It didn't sound like him in the least, so my antennae were up. (Besides, a friend told me a few days ago she'd just got hit by a password-stealer, so I guess I was a little wary.)

Clicked the link, and it was as I described it above. Here it is: http://www.geocities.com/hot_pretty_belle/

And in case it's not up, here's a screen grab:



I did a little "view source" and here's what the form looks like underneath the hood. (I have the complete page saved, if one of you techwizards wants it. Just get in touch.)

*see update 2 below


(If the code in the image doesn't make sense to you, here's the skinny: when you hit "enter", the page sends your Yahoo ID and password to hot_pretty_belle, or whoever else has set up the page.)

Now that you know, want to have a little fun? Fill in username and password fields with language mama would have washed your mouth out with soap for. And hit enter. hot_pretty_belle (or whoever you next encounter trying this stunt) will get lots of piping hot email.

Be warned. You'll get another page offering you another sign in button. And a Sign Up button, which, on click, gives you a genuine-looking Yahoo sign up page. Just loook up at the URL. Too tired to go see that bit of source code now, so will leave it to you tech-adepts.

I'm going to wait a day before reporting this to Yahoo, so go send that hot_pretty_belle your love!

And do pass this on. No, you don't need to credit me. Well, if you insist. I'm a slut for link love.

Update 1

Did a bit of research, and found out what happen if you enter a genuine Yahoo ID and password and click through.

The page records your ID and password, then forwards you to the real Yahoo Photos site. You (: if you hadn't read this :) would have just muttered imprecations about the dorkiness of the pal who didn't give you proper links.

And a few minutes later, you would have got a message from Y!M saying "You have been signed off Yahoo because you signed in from another location."

This has been happening quite often, so it's not much point remembering specific URLs, like hot_pretty_belle. Just remember the method.

Update 2

Thanks to ViswaPrabha and Prashanth, who told the doofus - me - that even with angle brackets html-ised to show up on the page, the script would send comments on this post (and possibly blogger ID and password! shudder!) to the black hats who run the page I referred to. So, text removed and replaced with an image, and now it will behave like a normal, harmless blogger page.

I, for once, am glad that no one commented!

Many Thanks, VP and Prashanth.

Update 2 - 9th July 2006
Please see this diary entry at SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System and this entry on the McAfee Avert Labs Blog. The SANS page points out a development that didn't exist when I wrote this post:
The last interesting thing is related to obfuscation of the HTML. The attacker decided to use a product called HTML Protector. This tool basically just obfuscates HTML code using JavaScript but as a browser needs to be able to parse the HTML code, the unobfuscation function always has to be present, so with some spare time you can easily unobfuscate this.
And the McAfee page points to this discussion on Broadband Reports, which also mentions the encrypted page.

31 comments:

Anonymous said...

This was done to me a few months ago. Clever little scam.

Fortunately I was able to contact yahoo and get my username back.


It is a very simple hack. I manipulated the code a little to try to mimick the results. What it does is use a third-party emailer and emails the scammer whatever is put in the username/password field.

When I fell for it, I remember thinking to myself "hmm geocities..thats odd...oh wait they were bought by Yahoo a while back. hehe stupid me

Anonymous said...

I'm wondering on the geocities password stealer can they get your ip even if you've put in something like.....you/suck for the s/n and pass?
Thanks!!!

Anonymous said...

Hi Every 1 out there am Nisha here n am in here facing a problem from a guy whoz id is aqqthu@yahoo.com i just need some help from u guys as just to let me know who this person is or by getting his password for me i"ll be very thankful to you as for ur favour if u can please do send me a mail to maria_was_here@yahoo.com

AP said...

http://beauty.trap17.net/pics/ is another such link people.. although this time the hacker got clever enough to use php for his dirty work. A friend of mine got her password hacked this way, I'm trying to know the identity of the offender (probably someone from my hostel). If there's any information do comment/shout anywhere on my blog.
Thanks!

Anonymous said...

Hi, Folks/ I had my Yahoo hacked this way! Very upsetting. Yahoo has not been helpful. If you can help me get my account back, I would be very grateful. Pls email me at colbyut@yahoo.com Thank you.

Anonymous said...

And yet another scam site! DO NOT use a valid username and password if you want to examine the source code on this page.

http://www.geocities.com/my_crazy_partie_pics/

Anonymous said...

I too got my Yahoo Id stolen, I have this id for 7yrs, Yahoo security isn't much help at all. I know they need this info to acces your account, but as i said i signed up for my account 7yrs ago never changed the password, now i can't get my account back until i can remeber the answer to my secret question. If any one has any ideas on how i can get my Id back please let me know. I always see this person come online with my screen name and they try sending me the same link.

Anonymous said...

This is for those who forgot the answer to their secret question ... Call up yahoo on (408) 349-3300.

They can help you there.. I lost my password that way too,. they changed it for me and gave me the password. I had to verify the birthdate though.. see if that helps.

For those who dont belive the phone number you can get it by searching for Yahoo on google maps.

Anonymous said...

Hey hi my Name is Gilson as iam too the victim of the hacker. So please let me know any other solution than the phone. My yahoo id starboy21century@yahoo.co.in. Thanks in advance i hope you guys can get the solution and give a slap to this Fucking hackers.

Regards,
Gilson

Anonymous said...

Hi! my name is Vivek. I got my passowrd hack by some geocities link. Please help me to recover my passowrd. I made this account some 9 yrs back and dont remember the information I gace that time.please send me suggestion to whooammii26@yahoo.com. Thanks,Vivek

Anonymous said...

Even same thing happened to me yest. now i cant access my account.
Please help me n let me know how i can get my account again.please mail me on v_lara2001@yahoo.co.uk

Anonymous said...

I am one of the latest hit, the link used nowadays is "http://www.geocities.com/hott_new_pics_for_you28". As per yahoo's site, I should get a alternate id to send the pwd, but I do not get on my screen. Can anybody help, please send suggestions to don_i@india.com

Anonymous said...

Mine was hacked this morning.I checked early in the morning.it was fine. But when I tried now, its gone.I rememember I got such a geocities link in my messenger from a known contact and clicked on it. But that was 2 weeks back. One of my friends on the ym list told me that he's been getting such links from my ym id for the past 2-3 weeks.

Anonymous said...

haiii all if u have problem with your yahoo account just call them at : 866-5627219 i just did that, and they asking a couple questions

don't worry if you forgot everything they can help u. no hope if you try to contact them from their email (feedback form) i did that for 2 weeks every 2days, and no answers at all.

now i get my id back :D

Anonymous said...

Hi, Thanks for your reply. Could you tell me to which country the number belongs to. Thanks!

Anonymous said...

hi frds,someone has stolen my yahoo id.i tried my password bt it doesn't work.i forgot my hint answer also.so pls help me to got my password.that yahoo id was very confidencial .if anyone knows the solution lps mail me to manofattraction@gmail.com.

Anonymous said...

Doggoneit! It just caught me after many years of careful living online. Link from a colleague in YIM! A geocities.com page (a Yahoo! property). Yahoo! Photos login. And the second login. Argh! I immediately dived in and changed my Yahoo! password. Twice. In quick succession. Repeated login / logout seems to confirm that I managed to change my password *before* the scammer nailed my account. But it sure made me nervous. Nervous enough to go change a whole bunch of other username / password combos I use online.

Anonymous said...

i am not abble to access my yahoo mesenger id,plz help.
my yahoo id is con_ravi_jeet@yahoo.co.in,

password hacked by someone plzz tell me
how to get
on con_ravijeet@rediffmail.com

Anonymous said...

hii all,i'd like to tell you that my password was hacked by that bad page of yahoo photos,and finally i just tried to call the customer care for yahoo.com by phone and they were realy so wonderful and patient, here is the phone number from an international phone:(0018665627219),then choose from menu..press number 2..then the next menu number 2 again.. then you will talk to someone form the customer care team.and they will help you and reset your password and sned it to your mail.you will get your password believe me.then and tell me all you guys onmy mail:mgmgsan81@yahoo.com
i wish all you got your lost passwords.. and good luck dears.

Anonymous said...

Hey... I entered into some like that only it was ymail.sytes.com or something and Now i cant acces my email... please can someone get it my account back its vveerryy important.. my yahoo id is romania222001

Anonymous said...

i was receiving numerous im's and im computer phone calls from |||nick_the_nugget||| and another screen name he was using notifying me it was nick_the_nugget (the first part i cannot remember, all i can remember is brunnette_69_2000). i ignored his requests several times, and he said he knew i was online because my ip was active. he then said he was going to "delete something". suddenly my messenger logged out and said i was logged into another computer. i tried to log back in, but my password had been changed. i was also unable to access my account to change the password.

he has been going through my contact list and sending instant messages, phone call messages, and sending emails telling everyone he is going to capture their ids.

a friend on my contact list, saw that my id was lit up, so she thought i was online. she sent an im, and it was the guy who hijacked my account. he told her my account had been "captured", told her he had her ip address, and told her he was going to delete her account.

this guy has also left a voice mail message with another friend of mine telling her i was "chatting with his 13 year old cousin in a chat room", then he went on to say fowl things. she said he sounded very young and very creepy.

my mother sent an im to my im, and the guy responded to her via computer phone call in instant messenger. he said his name was nick from atlanta, ga and he hijacked my account. he told her i was "mean to him in a chat room" (which is a lie), and then started cursing at her "f" this "f" that. then he told her he had her ip address. today, she is unable to log into her account.

i have personal (including medical, bills, home address) and company information stored in my yahoo email, and i am afraid he will go further with identity theft.

i would really like to see this got caught and brought to justice. there is no telling how many people's identities and personal information he has stolen.

Here are his online profiles:

http://profiles.yahoo.com/llllnick_the_nuggetllll

http://www.myspace.com/ncfleet

he also has the following yahoo ids:
fleetwood181987
ncfleet18

he has a yahoo 360 account as well.

Anonymous said...

hi recently my yahoo id was also hacked, and some of my information was changed and i couldn't get to where i could enter my secret answer
so i called yahoo customer care at 1-408-349-1572 and talked to Miranda she was very nice and helpful with her help i was able to get back my account by answering a few questions and telling her what had happened, do not ever click on links in yahoo they are scams to steal your id and password i know this is not good advice if you've already done so as i did..if anyone would like to contact me to see if maybe i can help you may do so at mysterywoman4u@hotmail.com

Anonymous said...

Those geocities and freewebs. ect. links where fake logins... or trojans. wich you simply upload. you send them the link. they open it.. boom. there computer is trojaned.. that would get every password they typed in there messenger.. ahaha. soooooo You did a lil help with those fake logins. but trojans. never will be gone... they will be rescrypted. Try to scan a file? wouldn't work! a few, best ones. are undetechabele!.lol. So yea.. Owner/admin/mod. whoever. can get my ip. report me.. w,e...lol... Why? cuss i didn't harm no one. actually i gave ya bitches advice..lol... and the fake logins. will come alive once again. with a new script. with that new yahoo shit...lol and there is no such thing as yahoo hackers. unless someone controls ur pc with sub-7/optix-pro/pro-rat/ect/ect... LMFAO. this fake logins thing. is not called being "hacked". How old are ya? you guys are like 20-30. yall sound like lil retarded kids. this is nothing... most poeple had use this for illegal names... There are hundreds of this geocity sites...and there's alot of different ways to get ur id owned.. this gay sites.. trojan.. cracked... info cracked... exploited... and way more waysss.. yes i learn this new trick lesss then a weak ago.. amazing how LimeWire.. BearShare... all those nice programs can help you get passwords..lol... But yeaa....... Amazin how am only 14 years old? and i know alot moreee then ya old poeple. ..lol.. God Bless You!.
__
Yo soy el magnifico travieso
_
Je suis sexy. chienne!.
_
lol.....

Anonymous said...

I hae also fallen victim to the above mentioned happenings. I lost my yahoo Id. which i found out is actually worth money because I signed up 7 years ago before they had the _ rule. my id is/was _The_Pawn If anybody knows of a way or can help e-mail me @ jkgreve@earthlink.net. tia

JR Gamble said...

I think anyone signing into a geocities site with their yahoo ID's are asking for problems. Do not accept files from people you don't know. Do not log into anything using your main yahoo ID. Only log into yahoo using your yahoo ID. If somehow you slipped and now have lost your ID, ask yahoo for it back - Provide enough information about your ID ie how often you use the account, who is on the friends list and so on.. They will give it back to you despite the fact the attacker has changed your account information.

Anonymous said...

My yahoo acount hacked and My password has been changed. plz help me to get the passwords so that i can change it back and details. My IDs are duraygo1@yahoo.com,which i have singned in up for a very long time ago,in the messenger the some of the people there are,luvmenow_2001@yahoo.com,luvmenow@yahoo.com.please you can send the password to owoyemi_deji@yahoo.com if you get it please.

Anonymous said...

plz help me to recover my password of nehaa75@yahoo.com and plz send me at wess42@hotmail.com

yaddayadda said...

Funny enough my Yahoo account got hacked. I had to start going to every site that had my yahoo address and change them all. Creepy, very creepy.

Anonymous said...

the web is not meant for dummies

Anonymous said...

These comments have been invaluable to me as is this whole site. I thank you for your comment.

Anonymous said...

quite often when I start to log off I get a message saying I am logged on at a remote computer, and shutting down will close that connection as well, I didn't realize was what was happening. I think I know who is doing it, and I did know that persons yahoo password, now it has been changed and I found out today mine had been hacked in to. I sure would like to check his, to see what he has taken from mine, but I don't know how to do the technical stuff. We got to be careful.