Sep 14 2006
I booted my laptop early this morning to get my daily dose of Google alerts. Navigating through the alerts I ended up at: The Museum of Modern Betas and browsing through its entries I chanced upon Google’s firefox extension for detecting phishing: Safe Browsing. While I was going through their site, I noticed the yahoo notification window show “Deeps is now online” and I was thinking to myself “What is this guy doing online so early in the morn?” (And may I ask what are YOU doing online?!) Installing Google SafeBrowsing seems to be fraught with its own problems. The SafeBrowsing home page says that it can be installed as part of google toolbar only. Antitrust I say! Some sites say the download is available only in US. Further googling revealed the URL: http://dl.google.com/firefox/google-safebrowsing.xpi
While I was installing the plugin (firefox waits for a couple of seconds before enabling the install button … i wonder why?!), I see a message from deeps:
“Hmmm … password” I say. I ping deeps …”Dood … it’s asking for password”. No response. Being a stickler for online security (ask my wife on how i nag her into setting a different password for each site and make sure she does not note down her passwords anywhere!) I think to myself… “Hey! This could be a phishing site!” (what with me looking at Google SafeBrowsing site just a few mins ago). “Very well”, I tell myself, “… the url is Yahoo! Geocities, the logos and the layout looks ok … Why would deep try to phish my yahoo account details … what the hell .. let’s try to login”. Key in the user id pass nothing happens. Back to Yahoo home page. “D’oh! Have I been phished?!” with this nagging doubt go have a shower … come back… notice deeps has replied to my message:
Deeps: what login?
Deeps: did u a get any message from me?
Deeps: i did not send it..
“Oh God! I have been phished!! Change the password quickly.” Chirpy wifey: “Breakfast time!” “Oh God! Imagine after all my taunts … I’ve been phished … how am I going to tell her this?! Have I really been phished?!” So I decide to go back to the site and verify. LiveHTTPHeaders shows:
http://www2.fiberbit.net/form/mailto.cgi POST /form/mailto.cgi HTTP/1.1 Host: www2.fiberbit.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/20060728 Firefox/126.96.36.199 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.geocities.com/junebug585/?200614 Content-Type: application/x-www-form-urlencoded Content-Length: 138 Mail_From=GOD&Mail_To=jawsy1%40gmail.com&Mail_Subject=Gift&Next_Page=http%3A%2F%2Fwww.yahoo.com &.pd=fpctx_ver%253d0&login=asdf&passwd=asdf HTTP/1.x 302 Moved Temporarily Date: Thu, 14 Sep 2006 04:01:30 GMT Server: Apache/1.3.26 (Unix) mod_perl/1.26 Location: http://www.yahoo.com Content-Type: text/html; charset=iso-8859-1 X-Cache: MISS from downloads.pramati.com X-Cache-Lookup: MISS from downloads.pramati.com:3128 Connection: close
“Oh no! I really have been phished! Bugger has mailed my yahoo password to himself!! Change the password … change the password … change the password!”. Wifey, annoyed after waiting for me at the b’fast table: “Wot’chu doin buster?!” … where do I hide my face now?!
The phisher is not Deeps… some one phished his id and sent me the message. Maybe it is not even junebug585 whose geocities site was used to phish for my account details … maybe that id was also phished and misused. Maybe it is not even firstname.lastname@example.org where my userid/pass have been mailed … maybe that id/pass also have been phished?! I wonder who all will receive a message from my id now and be phished!
Imagine the coincidence, I am finicky abt internet security, I was just checking out Google’s SafeBrowsing and I got phished! “I took a chance typing my yahoo id, surely I wouldn’t have taken a chance if the site asked for my bank account-nos/user-ids” I rationalize. But still … what if the phisher downloaded all my password reminder mails from my yahoo mailbox??!!
All the best dad!
… now the painful part of reporting abuse to yahoo and gmail …
Update: Looks like I am not the first! … and looks like google pages are also being used for phishing. Google: yahoo geocities phishing
Update 1: Yahoo!’s soln for phishing?! (via deeps):
———- Forwarded message ———-
From: Kalyan K Kumar
Date: Sep 14, 2006 11:04 AM
keep an eye on those yahoo login look alike geocities links. don’t enter
yahoo password anywhere
other than login.yahoo.com
you can setup a sign in seal to protect partly.