Tilted Forum Project Discussion Community - View Single Post

trache · 10-27-2004, 05:58 AM

I have gotten an increasing amount of these in my e-mail, as well as questions as to their origin. Hopefully this will be helpful:

1. If you look at the source code of the actual webpage you are viewing, you can view the e-mail in the lower portion of the webpage. When you do, you'll see that half of the e-mail is written in with HTML entities, that is, special characters that will not get mangled when they pass through a web browser's memory.

Although they look this way, humans perceive them as normal text (which they should). You'll notice though that when you copy/pasted the text, the special characters ended up as full-stop characters.

2. The e-mail has many spelling errors. Why would anyone at Yahoo! even think of doing this is beyond me since doing that is just unprofessional. This is intentional so as to fool the Anti-Spam features of many large ISPs.

3. If you view the source of the webpage again, you will notice that the link you must click has also been encoded with HTML entities so as to make it hard to read for humans. Web browsers will happily read and display this to you normally. The URL may be obscured when you run your mouse over it (as most browsers will display the URL location in the status bar with JavaScript (JavaScript can be used to change the text of the status bar to anything possible at practically anytime)

4. The link you must click has been run through Google's URL redirection service. Why would Yahoo! run something this important through a 3rd-party? Please note that Yahoo! has a similar service they use to redirect people around their website, which is exploitable as well (why they do not make it accessible to only Yahoo!'s servers is beyond me at the moment). The script is housed at something similar to rd.yahoo.com or rds.yahoo.com

5. Look at the IP addresses stated in the message headers. These are located at the top of your message (Make sure you have turned on View Message Headers in your Yahoo! Mail preferences) and define the path this e-mail took on its voyage across the Internet to land in your Inbox. You'll note that if you try to look up the owners or users of the IP addresses, that a portion of them do not belong to Yahoo!

While this is normal (as e-mail goes these days anyway), if Yahoo! wrote them, and these e-mails land in your Yahoo! Mail Inbox, why would your e-mail leave Yahoo!'s network and on to some foreign network? If you use tools such as a WHOIS database for ARIN (just Google for it, you'll find one), you notice that some of the IP addresses in the message headers just don't belong there. These days, most of these scams are originating from Africa or Asia (usually these days, but not always).

6. Yahoo! has stated that they will NEVER ask you for your password. There are two schools of thought here:

a. They have the original text of your password and know this, and can retrieve it for their staff (and you) at anytime. Why would they ask you to confirm it in this case?

b. They encrypt your password so that not even the staff at Yahoo! can read it. Yahoo! will then have VERY important security measures in place for you to RESET (not determine) you current password. If you ask for a new password, the Yahoo! system will send you a reset password link to the e-mail address that is defined in your account settings (which seemingly only YOU should have access to).

When this happens, Yahoo! is very careful with the wording of their e-mail and location of the reset password utility. They might not even let you choose a password, but send an e-mail to your account with an already defined password (presumably again, that only YOU have access to).

So in short, this is a phishing scam designed to fool unsuspecting Yahoo! account holders into giving up their passwords to their user accounts. Do NOT give your password to ANYONE especially anyone who even mentions it over the phone. Yahoo! has made every attempt to securely send you a chance to recover your lost accounts. Yahoo! is a huge company, do you really think they have time to help you personally? (I'm sure there are contact numbers you can reach, but they are few and far in between!)

While this e-mail is technical in nature, this is the computers forum. Hopefully you're here to learn as well as read our geeky ramblings! This is exactly the line of thinking someone in my line of work goes through when trying to decipher a scam like this!

If you have any questions, send me a private message.

10-27-2004, 05:58 AM	#6 (permalink)
trache Insane	I have gotten an increasing amount of these in my e-mail, as well as questions as to their origin. Hopefully this will be helpful: 1. If you look at the source code of the actual webpage you are viewing, you can view the e-mail in the lower portion of the webpage. When you do, you'll see that half of the e-mail is written in with HTML entities, that is, special characters that will not get mangled when they pass through a web browser's memory. Although they look this way, humans perceive them as normal text (which they should). You'll notice though that when you copy/pasted the text, the special characters ended up as full-stop characters. 2. The e-mail has many spelling errors. Why would anyone at Yahoo! even think of doing this is beyond me since doing that is just unprofessional. This is intentional so as to fool the Anti-Spam features of many large ISPs. 3. If you view the source of the webpage again, you will notice that the link you must click has also been encoded with HTML entities so as to make it hard to read for humans. Web browsers will happily read and display this to you normally. The URL may be obscured when you run your mouse over it (as most browsers will display the URL location in the status bar with JavaScript (JavaScript can be used to change the text of the status bar to anything possible at practically anytime) 4. The link you must click has been run through Google's URL redirection service. Why would Yahoo! run something this important through a 3rd-party? Please note that Yahoo! has a similar service they use to redirect people around their website, which is exploitable as well (why they do not make it accessible to only Yahoo!'s servers is beyond me at the moment). The script is housed at something similar to rd.yahoo.com or rds.yahoo.com 5. Look at the IP addresses stated in the message headers. These are located at the top of your message (Make sure you have turned on View Message Headers in your Yahoo! Mail preferences) and define the path this e-mail took on its voyage across the Internet to land in your Inbox. You'll note that if you try to look up the owners or users of the IP addresses, that a portion of them do not belong to Yahoo! While this is normal (as e-mail goes these days anyway), if Yahoo! wrote them, and these e-mails land in your Yahoo! Mail Inbox, why would your e-mail leave Yahoo!'s network and on to some foreign network? If you use tools such as a WHOIS database for ARIN (just Google for it, you'll find one), you notice that some of the IP addresses in the message headers just don't belong there. These days, most of these scams are originating from Africa or Asia (usually these days, but not always). 6. Yahoo! has stated that they will NEVER ask you for your password. There are two schools of thought here: a. They have the original text of your password and know this, and can retrieve it for their staff (and you) at anytime. Why would they ask you to confirm it in this case? b. They encrypt your password so that not even the staff at Yahoo! can read it. Yahoo! will then have VERY important security measures in place for you to RESET (not determine) you current password. If you ask for a new password, the Yahoo! system will send you a reset password link to the e-mail address that is defined in your account settings (which seemingly only YOU should have access to). When this happens, Yahoo! is very careful with the wording of their e-mail and location of the reset password utility. They might not even let you choose a password, but send an e-mail to your account with an already defined password (presumably again, that only YOU have access to). So in short, this is a phishing scam designed to fool unsuspecting Yahoo! account holders into giving up their passwords to their user accounts. Do NOT give your password to ANYONE especially anyone who even mentions it over the phone. Yahoo! has made every attempt to securely send you a chance to recover your lost accounts. Yahoo! is a huge company, do you really think they have time to help you personally? (I'm sure there are contact numbers you can reach, but they are few and far in between!) While this e-mail is technical in nature, this is the computers forum. Hopefully you're here to learn as well as read our geeky ramblings! This is exactly the line of thinking someone in my line of work goes through when trying to decipher a scam like this! If you have any questions, send me a private message. __________________ "You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip