Has your Yahoo password been stolen? Would you be aware if that was the case? Many people who have fallen for the latest Yahoo password stealing scam will be unaware that their account is no longer secure.
PhishMe researchers are always finding new tactics used by the top phishers to steal login credentials for popular on-line services, and attacks on Yahoo users are incredibly common. We recently found a very clever phisher using the idea of strengthening your password against you. Let’s explore this phishing scenario in detail.
Since the beginning of May, the URL:
has loaded a page that asks the victim to confirm the strength of their Yahoo! Mail password.
What a great service! However, this request is not being made on the Yahoo! site. The activity takes place on MarkSpikes.com, as is shown in the screenshot below:
When someone falls for this Yahoo password stealing scam, a PHP script on the compromised MarkSpikes.com web server emails the password to the criminal. By viewing the source code of the phishing page, we can see the name of the script is hellion.php, but we also find some interesting comments in the code, as seen below:
# HELLION PROUDLY PRESENTS, Auto Killer v1.0
# This program is free software brought to you by Hellion:
# You can redistribute it and/or modify it under the terms of
# the GNU General Public License as published by the Free Software Foundation,
# either version 3 of the License, or (at your option) any later version.
# However, the license header, copyright and author credits
# must not be modified in any form and always be displayed.
# This program is distributed in the hope that it will be useful
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# Contact me : firstname.lastname@example.org for more details.
# Skype: teamipwned
# Special greets to Shaif Lifax, Solaree, PaperBoi, Softwarewind, Emoney, and others who helped!
# WARNING: Do not touch anything here!
These comments give us a good deal of information about who designed this phishing attack and who may also be collecting the stolen Yahoo! account passwords.
The Yahoo! username “team_pgb” is tied to two recovery email accounts as seen in the captured Yahoo! Forgot Password screen below:
Yahoo! may want to check and see how their user “team_pgb” is sharing code for spoofing Yahoo! password strength checkers!
PhishMe Intelligence is useful for determining which other brands may be affected by this attack. A search on the MarkSpikes.com domain reveals there have been several other phishing attacks hosted on the same domain recently. A variation on the Yahoo password stealing attack above asks the victim to strengthen their account from threats by confirming the strength of their password. A Microsoft version from May 2nd suggests, as seen below, that the password should be entered in order to verify the account.
Going back to March 1st, Google users were phished at another URL on the same domain:
Another very similar Google phish was identified in the same timeframe as the one mentioned above. From one of those phishing servers, PhishMe archived a phishing kit left behind by the criminals. Inside, it reveals that the Google passwords were being sent by the phishing server in email messages from email@example.com to firstname.lastname@example.org. The domain blazerscyberteam.net was registered last October 24th using a privacy protection service. There is a profile on Facebook for “Swift Opio DA Blazers” where the occupation is listed as “Director at Blazer Cyber Team”:
Though the Google phishing content has been removed from MarkSpikes.com, a perusal of the directory reveals that there is another type of phish at:
As can be seen in the screenshot below, this is a phish for an email address and password combo. Once the details are entered, the victim is re-directed to the My Maersk Line login page on my.maerskline.com
Since February 1st, PhishMe has recorded thirteen other similar Maersk-style pages that phish for email addresses and passwords.
The hosting IP address for this domain is also interesting. Since Sept. 11, 2013, PhishMe has recorded over 18 thousand attacks against hundreds of brands on the netblock 188.8.131.52/16, owned by Cyrus One and leased to HostGator’s WebsiteWelcome as “HGBLOCK-10”.
Let us know if you’ve seen similar phishing sites, if your Yahoo password has been stolen in a similar style attack, or would like us to look into a different tactics that you’ve recently observed, by using the comments section below.