Last month, we learned of a phishing campaign targeting Yahoo Mail users. The phishing email claimed that the recipients’ mailbox had expired and asked them to click on a link to restore their email access.
Figure 1. Example of Yahoo phishing email
The “Update Now” link led the recipient to a website that looked like the real Yahoo.com login page.
Figure 2. Yahoo Mail phishing page
As you might expect, if users submitted their user name and password to this phishing website, their Yahoo Mail account would have been compromised. But a few things stand out about this particular phishing campaign.
Scammers added a copycat alternate email
Shortly after compromising these Yahoo accounts, the scammers logged in to the affected accounts and added an alternate email address. This alternate email address was quite intriguing, as it appears that the scammers registered a copycat email address on Microsoft’s Outlook.com email service using the exact same user name as the @yahoo.com account.
Figure 3. Scammers add copycat alternate email address
Scammers forwarded all emails to the alternate email address
To keep the victims in the dark about their account being compromised, the scammers set up a rule to forward all email messages to the copycat alternate email address and to delete these messages, leaving no trace of the messages within the Yahoo Mail inbox.
Scammers employed the family member impersonation scam
The scammers then harvested the address book from the compromised Yahoo accounts to send out emails requesting financial assistance as part of a family member impersonation scam. In these campaigns, scammers typically pose as the message recipient’s family member, claim that there is an emergency, and ask the recipient to send them money. This type of social engineering scam has been around for some time and is also known as pretexting.
Figure 4. Scammers attempt the family member impersonation scam
Unlike the more common “mugged in London” scam, this one transported the family member to Manila in the Philippines, where he or she requested a wire transfer for nearly US$4,000 to help pay the hospital bills of a cousin and his son. As the scammer used the victim’s user name from another email account and address book contacts, they made the campaign seem more legitimate.
What to do if you receive one of these emails
The first thing someone should do if they are on the receiving end of one of these family member impersonation emails is to be skeptical of it. Is this family member really in Manila? Call and check with one of their siblings or parents to see if it is true. More often than not, it’s clear that this is a scam.
A lot of these types of impersonation scams ask for money to be wire-transferred through services like Western Union. There are many different scams that abuse these services and you should learn more about them.
Why two-step verification is important
Certainly, if the recipient of the phishing email refused to click on the link, they would not have had their account compromised. Even then, we still encourage users to enable additional account features like two-step verification. This feature adds an additional layer of security and ensures that even if the scammer does obtain the user name and password for the Yahoo account, they would not be able to log in without having access to the users’ mobile phones.
Learn more about enabling two-step verification for Yahoo accounts.