[PLUG] A New (to me) phishing attack

Vram lamsokvr at xprt.net
Sat Feb 25 05:57:04 UTC 2006


On Fri, 2006-02-24 at 10:03 -0800, Aaron Ten Clay wrote:
> On Fri February 24 2006 09:47, Richard C. Steffens wrote:
> > I've gotten a couple of e-mails claiming that I've successfully added a 
> > new e-mail address to my PayPal (or PayPa1, or PayPaI) account. All I 
> > have to do is click on this handy link. I have not done so, nor do I 
> > plan to. The link is as follows:
> > 
> > http://rds.yahoo.com/S=44831148:D1/CS=44831148/SS=44831166/SIG=11v8331g7/*http:/3639747790:84/page/webscr/
> > 
> > Am I correct in assuming that this link goes to someplace within Yahoo? 
> > I sent the entire e-mail off to abuse at yahoo.com, but they think I'm 
> > complaining about the e-mail coming from yahoo mail, I'm on my third 
> > exchange with them to get them to look at the link, and not the spoofed 
> > (is that the right term for it?) e-mail header.
> > 
> > Anyway, can anyone take a guess as to what that http string is trying to do?
> > 
> > And, just in case anyone wonders, no, I haven't tried to add an e-mail 
> > address to my PayPal account, nor done anything else with that account 
> > in the last couple of weeks!
> 
> That's a standard yahoo redirect. It's being abused by someone to "mask" a destination URL.  It's been abused since the dawn of time, who knows why Yahoo still has it.
> 
> The destination URL is the last part there after the asterisk. The destination URL is a decimal encoded IP address (3639747790) which becomes 216.242.36.206. Port is 84, and URI is /page/webscr/.
> 

How do you do that??

Is there a link somewhere??

Vram



> It has nothing to do with Yahoo!. They just have this braindead scheme of "all links must go to our redirect page!" and so it's a very convenient way for phishers and other black-hats to confuse people.
> 
> HTH,
> Aaron
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug




More information about the PLUG mailing list