Here is a mail I found in a very very old yahoo account of mine.
From: Yahoo! <email@example.com>
Sent: Friday, 13 April 2012 4:40 PM
Subject: TERMINATION OF YOUR Yahoo! MAIL ACCOUNT
Dear Yahoo Mail Subscribers
TERMINATION OF YOUR Yahoo! MAIL ACCOUNT
we are currently carrying out an upgrade on our system because it has come to
our notice that one or more of our subscribers are introducing a very strong
virus into our system and it is affecting our network. We are trying to find out
the specific person.
For this reason, all subscribers are to provide their USER NAME AND PASSWORD for
us to verify and have them cleared against this virus.
Failure to comply will lead to the termination of your Account in the next 72
Information to send;
Hoping to serve you better.
Copyright © 2012 Yahoo! All rights reserved.Copyright/IP Policy | Terms of Service
NOTICE: We collect personal information on this site. To learn more about how we
Seems legit, right? You are mistaken. Very very badly. Let me point out the mistakes.
- gci.net??? The Yahoo Inc must have exhausted all its email addresses, that it needed an email from gci.net to contact you.
- What was the salutation? ‘Dear yahoo mail subscribers’ When did yahoo turn so lame that it can not write a script to include your name?
- Dafaq did I read? email and password? Name one, just one sane company that asks for your password.
- Spelling mistakes usually give away scams, but this one is clean on that part. Must be a well-planned one.
- Look at the email header. The reply to address is: firstname.lastname@example.org When the hell did yahoo start using such addresses for official correspondence?
- And a more subtle one: Does every yahoo mail user login at least once every 72 hours? Any drastic changes will be announced months in advance by any company that doesn’t want to lose its reputation and stock in an hour, or less, may be.
But i wonder how many have fallen prey to it. If there is any thick head who still thinks its legit, allow me to shoot you. Some scared users may even send it out to their friends, with all good intentions, only to amplify the damage. You know the fun part?
YAHOO DID NOT EVEN DISPLAY A WARNING OR MARK AS SPAM
Yeah! no joking here. Anything that seems to pose as the company should be detected as spam and at least a warning message should be displayed. Gmail’s spam detection is much better, plus I use boxbe, so I never get any spam on my primary Gmail account. And I made a resolution. Never, ever use yahoo for mail. The totally cluttered interface, plus seemingly no caring for privacy, plus a not so good spam detection system (I even doubt if it really has one) make it my last choice.
To summarize, What this post is about?
Almost every day, I come across Facebook likejacking scams, Password stealing scams, advertisement scams, and so on. We need to be a bit vigilant while using Internet. Not many days ago, a friend of mine asked me if I could hack yahoo, coz her father lost access to his email, which contained important financial information. Hacking into any properly maintained server is extremely difficult, read impossible. We tried recovery options, but yahoo was stubborn enough to give no option other than answering secret questions, to which the answers weren’t matching. Luckily, her trial and error attempts were successful, So I assume that the primary fault is with memory here.
As a rule of thumb, NEVER reply anyone asking for password. No organization in right mind would do that. The technical details are that emails are transmitted in plain-text, so it is too easy for anyone to read, and the delivery mechanism, SMTP, read Simple Mail Transfer Protocol, was designed to deliver mails sometime in future. Confirm first, and if it is legitimate, slap the person if you can, and ask them to use a better, secure method. Security is one thing where compromise can prove disastrous.
Was I shouting at yahoo earlier? Add a not-so-friendly password recovery procedure to that list. Why not ask the user for a mobile number or alternate email, and use that to authenticate? meh. You may expect a post on the precautions I take, and the security I maintain, some time soon. It’s at the end of a very very long To Do list, so be informed that it may take some time.