Yahoo mistake?

It seems I just got an e-mail from yahoo with a link to their site where I can enter my credit card number.

I was shocked to see this. It think it's legitimate, but it sure looks phishy.

My annual e-mail subscription charge is due and my credit card expiration date is out of date. I decided to do the safe thing and go to yahoo's site, login to my account and change it that way. But the way to edit the credit card info is far from obvious. It's so confusing that I went back to the e-mail and tried the link just to see if I was on the right track.

Maybe Yahoo resorted to the e-mail link because it's virtually impossible to figure out how to edit the credit card info otherwise. Anyway the whole thing is sick sick sick.

I think I fixed my Yahoo account but maybe I just gave my credit card number to someone in Romania.

Call your credit card compant NOW and tell them what happened.Let them decide what needs to be done.

I'll second that call

It might be legit, it might not.

Info here:

http://privacy.yahoo.com/privacy/us/security/details.html

There's a link at the bottom of the page to a contact form you can fill out and send to Yahoo if you think your account's been compromised.

If a third party sent you the e-mail you can forward it to [email protected] (but it sounds like it came from Yahoo. Did you happen to check the full header?)

As long as you manually browsed to the Yahoo site and entered the credit card info there, without following the link sent to you in the e-mail, you should be OK.

There have been many, many spoofing attempts recently. In fact, there are other threads on CPF about it.

Any time you get email asking for personal information (even address and phone number), credit card information, or the like, one of the first things you should do is move the computer cursor over the weblink, but do not click it on! Just let the cursor sit over the link for a few seconds. You should see a very small box pop up that contains the actual URL for the link. If that doesn't look right, or it doesn't indicate that it is a secure link (https/www vs. http/www, IIRC - the "s" on the end of the http is an indcator for a secure site -- and if I'm not correct about this, someone here will will update this info), don't open the link at all. Once again, don't click on the link.

Always safest to contact companies requesting personal information (of any level) by mail. Even a phone call isn't always safe.

When in doubt, don't do anything with the email except report it to your internet service provider.

Personally, I give out no information whatsoever over the net, but especially not over emailed weblinks.

I have had repeated emails from banks, credit companies, and finance companies (several from what was supposed to be PayPal) asking to update my information, warning me of attempts to get into my account, or asking me to confirm an order. All were from companies I have never done business with, and they all had bogus URL's that showed up when I passed the cursor over the link.

Be afraid... be very afraid.

Nah, get Linux instead. No worries about virii, and then I can feed false information to them all day. Plus every phishing email I've gotten has had a link to forward it to the authorities. .

If you closed that window and retyped the address of yahoo.com and logged yourself into it from there, then it's very likely that nothing is wrong.

If you used the page that resulted from clicking in the email then you very likely just gave your CC number to the phishers.

It is worth it to call your CC company and see what charges have been added today. If Yahoo charged you then you're OK, if yahoo hasn't charged you then you better cancel that number ASAP.

I got the same email from Yahoo today, and I don't even use it. Has to be someone Phishing for personal data. CALL YOUR CREDIT CARD COMPANY, NOW!

The advice to look at the URL by putting your pointer over it is one way to detect SOME of the bad links, but not all. Some Phishing messages use a super long URL so your web browser can't show all of it. This works for Linux as well as Windows systems. The trick, after all, is to get you to a site that looks legit but is run by "bad guys".

Always start at the home page of the company you are doing business with when you are going to give personal information or credit card info over the net.


That's my $5.02 (based on current consulting rates)

Daniel

I didn't make myself very clear. Not being totally stupid, I went to my Yahoo account but couldn't figure out how to update my credit card info. It's that bad folks.

There's no mention of how to do this on the account information screen. There's a link to change password and a link to change my security key. I don't even know what that is. As far as I know I don't have a security key.

I eventually got to a screen used for making purchases, and was able to change my credit card expiration date there. To see if I was headed in the right direction I actually used the link in the e-mail to see if it would take me there. It took me to something similar, so I went ahead. But I didn't use the link in the e-mail to do it.

I don't think I was scammed. My main reason for this thread is to express my extreme disapproval of the way Yahoo handles this.

Here's the link in the e-mail:
http://us.rd.yahoo.com/mail_us/order/renewal/mp/wallet/?https://edit.secure.yahoo.com/ec/ec_edit?.src=ym&.done=http://mail.yahoo.com

Here is the URL I actually used:
https://edit.secure.yahoo.com/ec/ec_validate?.checkCvv2=1&.done=https%3a//ordering.yahoo.com&.bail=https%3a//ordering.yahoo.com&.fromEdit=1

This stoopid screen is labelled "Choose Payment Method", and it's where I enter the credit card number. Note that I didn't want to make a payment, just update my credit card expiration date. To get to this screen, I had to click on "Manage My Premium Services" and then click a tiny almost hidden link called "My Payment Info". Stoopid. Really Stoopid.

So is that first link a scam? If so, they are really sneaky because they apparently knew my e-mail subscription payment was due, and my credit card expiration date was out of date. If it isn't a scam then Yahoo committed an unpardonable sin.

[ QUOTE ]
James S said:
If you closed that window and retyped the address of yahoo.com and logged yourself into it from there, then it's very likely that nothing is wrong.

[/ QUOTE ]

I was shocked to see a new form of ID theft reported on the local news last night. It's called "pharming".

Even typing the URL directly into the browser will not prevent the target from being redirected to a spoof web site.

Pharming

I think you're OK.

You can check the certificate of the web page linked in the e-mail, and it appears to be a valid certificate issued to yahoo.com.

Yahoo's account interface is kinda klunky, but you described the correct procedure to change your credit card information (under the "Premium Services" options).

Not that I'm defending Yahoo, but the e-mail link does require a login, doesn't it? (It did when I followed it from your post). So it's not totally indefensible.

A page that looks like yahoo can be from somewhere else. The URL that starts with
http://us.rd.yahoo.com/ is redirected to a site that may or may not be under yahoo control.

It's simple to set up a web page that asks for a login and password. It's even simple to have a pirate web server use that password and login to access yahoo and send you back the responses so it looks real. In the mean time, they end up with your login and password and, in this case, your credit card too.

I gues I'm saying, just because an e-mail sends you to a link that requires a login, that does not make them legit.


Daniel

True, but the certificate for the website that the link goes to is verified as having been issued to Yahoo.

And I should have been more explicit about the "login" comment. Once the site is verified as Yahoo's (and not before, mind you), requiring a login is somewhat safer than directly linking to a page to enter sensitive information.

Most people don't know anything about site certificates. This is precisely the way that phishers work.

Responsible companies like PayPal tell you they never send such an e-mail and you should never use a link in an e-mail to login to PayPal.

Yahoo is being incredibly irresponsible. They are inviting phishers to get people's Yahoo login and even worse to get their credit card number.

[ QUOTE ]
gregw45 said:

I was shocked to see a new form of ID theft reported on the local news last night. It's called "pharming".

Even typing the URL directly into the browser will not prevent the target from being redirected to a spoof web site.

Pharming

[/ QUOTE ]

I saw that also. Scary.

The article on "pharming" appears to be mixing up DNS hijacking with DNS poisoning. The former is easy to detect and generally requires social engineering (talking someone into) change of the DNS records. The latter effects only selected ISPs and can go undetected for hours, days or weeks. Poisoned DNS records have to be repoisoned on a regular basis.

While certificates sound like they provide a gaurantee that the site is legit, the reality is that it's easy to get a certificate for a hijacked domain. It's fairly simple to convince the certificate autority companies to issue an emergency certificate based on system changes. I've done it.

In general, to be safe don't click on any link in any e-mail, including those from your friends. Type (carefully) the URL for the site's home page and go from there.

Daniel