Phishing
Phishing Mail Sent via Yahoo! Groups
Save to Folio
Spammers were doing it before so it was also only a matter of time before phishers learnt the trick and started doing it too. “Personalised” phishing emails, even with all the available social engineering techniques out there, are old, right? Now phishing emails in Yahoo! Groups, that’s new. TrendLabs’ Content Security Team got hold of the following phishing email message:
Phishers appear to have sent this email through Yahoo! Groups via either of the standard posting methods: through the Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate. The success of this phishing attempt further depends on how the group mailing list is actually moderated (there are settings that allow the moderator to approve all messages before they are sent out to members, see Yahoo! Groups spam abuse prevention features), and the veracity of past emails sent to the same distribution list. All these efforts and clues are laid to waste, however, should the email come from a legitimate member with an infected or bot-controlled PC, as is typical in spamming operations. However, we detect this as a phishing attack because the link to which it connects the recipient to is different from where the browser actually connects to. Even more to the point, the URL leads to a page that steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These information are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals. A screenshot of the phishing page is found below.
Note that the legitimate URL of The Royal Bank of Scotland (rbs.co.uk) is different from the domain of the URL which opens to the above page (rtsrv.co.uk). Trend Micro Smart Protection Network uses an integrated approach that protects users against online threats before users ever see them. It ensures that this phishing attempt does not reach Trend Micro users’ email inboxes, while blocking the malicious domain in case this phishing attempt slips through. Moderators of Yahoo! Groups (but not only!) should take time to read about their options related to keeping their members safe from spam and phishing attempts (or even just off-topic emails) at the Yahoo! Groups FAQ on spam abuse prevention, and list management in general. Thanks to Grace Ermitanyo, Anti-phishing Engineer, for the detailed analysis about this attack.