Few days back, I got a mail from one of my friend saying her yahoo account has been hacked! The Chinese attacker accomplished this by creating a fake-login screen! Actually there is more victims to this yahoo fake-login screen. While this type of attack isn’t new, what makes people vulnerable as this one is uploaded on yahoo’s geocities itself!
Posting here are ways to protect yourself…
1. Trying Wrong Password (Simple)
If you suspect the login-screen next to you is fake, then best way is to enter wrong password. While a genuine login screen will return an error such as “wrong user name or password” the fake one will redirect you to pre-configured page!
2. Checking source code… (Advance)
You can also inspect source-code of login screen…
tags… (or you can directly search for “action” attribute)
Now original “action” value for yahoo photo’s is,
Its enough to check high-level domain (as shown in red color). Creating a fake-login screen is quite simple so if
hacker attacker is really naive, then this will works 99.99999% of the time! There is only one way out for attacker and it depends much more on victims foolishness as well as luck!
A fake login screen will always have different value for action attribute…
- https://user.yahooo.com/config/login? (note extra O in yahoo)
For those relying on “forget password” option then there is another bad news…
This guy is smart enough to change PIN and COUNTRY information in all his victims yahoo account so they could not get even security question to answer!!!
there are firefox addons to avoid phishing… :p
@Demander of Hell
Thanks for reminding. I will try to post about such addons soon! 🙂
This is the first website i’ve come across which has so many tips and tricks. You’ve put so much effort into presenting this info to ‘normal’ people like me.
This is just a short note to let you know that i think You’re a genius!
Thanks for your appreciation buddy! 🙂
help me.. ;'(
someone hacked my yahoo email password.
now the security question also changed by the hacker.
i am begging you please help me get back my yahoo email..
I wanna know how to get yahoo “LOGIN ALERT on mobile ” and “LOGOUT ALERT on mobile”.
So that if somebody logs into my account , i will be notified immediately and also i can take action immediately( like changing password).