Cenzic 232 Patent
Paid Advertising
web application security lab

Redirection in Yahoo Forwards Phishing

This time it’s Yahoo’s turn to be used in propogation of phishing. This is the second time in just a few weeks that this has happened. The nay-sayers are awefully quiet these days, have you noticed? Interesting. Anyway, I’ll stop playing the “I told you so” game, and stick to the facts. The fact is Yahoo is currently hosting a redirection script used for tracking. That link can be modified to forward to any domain of the attacker’s choice. The attacker happened to chose a phishing page (big surprise):

This is a live phishing site at the time of this writing. I’m not sure what else has to happen before these companies start jumping on these to close them down. It’s bad for the consumers, and it’s bad for their trust brand. I understand better than just about anyone why it’s important to be able to track your users’ activities, but there are other ways, like onclick event handlers, etc… 98-99% of users have JavaScript turned on so that should be good enough to track as a percentage. Or use a whitelist. Or use an embedded checksum. There are alternatives to leaving yourself open to these forms of attack.

Maybe I’m preaching to the choir now.

2 Responses to “Redirection in Yahoo Forwards Phishing”

  1. Tontonq Says:

    http://pagead2.googlesyndication.com/pagead/iclk?sa=l&ai=x&num=1&adurl=http://ha.ckers.org&client=ca-pub-8&nm=1

    https://login.yahoo.com/config/mail?.intl=us&.done=http://ha.ckers.org

  2. John Herron Says:

    There are tons of these out there.
    http://dw.com.com/redir?destUrl=http://1113638937&lop=nl.ex
    http://www.citrix.com/sharedCode/services/clickTo.asp?ref=HPS31791_C&dest=http://www.nist.org

    Most can be used with an obfuscated URL. I don’t know why they can’t simply issue a session ticket and have the redirect script check for it. That would limit things quite a bit. You’re right that it really is time they do something about this. The way things are now it makes social engineering so much easier.

    John @ NIST.org