« Phony Lottery Doesn't Add Up | Main | New eBay Phish Ploy »
Home | The Book | Training | Events | Tools | Stats |
September 06, 2005
Yahoo and PhishingI've been reticent about publicly announcing Web hosting services that do a lousy job of closing down phishing sites because it might give bad ideas to very bad people. But the cat is out of the bag when it comes to Yahoo. Richard Cox, CIO of Spamhaus, blew the whistle on Yahoo at a public speech in London. According to a report from the conference, Cox noted that Yahoo has registered over 5000 domains whose names contain the words "bank," "ebay," and "paypal"—they all can't be legit, and should be looked into.
This prompted me to look at the last few months of my phishing reports to Yahoo. These are reports that I send based on research for each phishing email message's primary link (the one that's normally hidden from view to those who open the messages in their email programs). I had a handful of domain names with the suspect words in them, but the following list comprises the majority of domains I reported that were both registered and hosted by Yahoo (WARNING:Most of these domains are now inactive, but some may still be alive—DO NOT ATTEMPT TO VISIT THE SITES):
- login-user1422.info
- login-user1937.info
- login-user1962.info
- login-user2112.info
- login-user2332.info
- login-user2419.info
- login-user2626.info
- login-user2728.info
- login-user2783.info
- login-user2891.info
- login-user2947.info
- login-user3114.info
- login-user3664.info
- login-user3839.info
- login-user5231.com
- login-user5336.info
- login-user6613.info
- login-user6996.info
- login-user7687.info
- login-user8341.info
I think it's time to send this list to the codebreakers at the National Security Agency (NSA). If they enter this list into a Cray, and let the supercomputer crunch on the data long enough, maybe—just maybe—they can find some kind of pattern that would help Yahoo detect when a potential phisher is trying to register a domain or set up a phishing Web site. If the Cray is busy, maybe there's an old Apple // lying around in a closet that could do the job.
When I research these domains further, I find that most of them get hosted at a facility that is within a half-hour drive from here. If gas weren't so darned expensive, I'd think about going over there to pull a plug or two. In the meantime, despite my lickety-split reportage of these abuses, Yahoo manages to let these sites destroy peoples' lives for days on end. My guess is that Yahoo finally shuts them down not because of the phishing, but because they discover that the domain registration was paid for with a stolen credit card (sadly, the registration data looks to me to be identity info stolen from previous phishing successes). <speculation>If it weren't for the chargeback, the sites might run forever.</speculation>
There was a brief moment in time, noted here and here, when Yahoo reacted quickly and decisively. I was really jazzed about it. But that was a fleeting moment.
Kudos to Richard Cox. Perhaps the publicity from the conference will get Yahoo to do something. Anything.
Posted on September 06, 2005 at 12:05 PM