• Phishing Link: http://www.geocities.com/oxox0o_angel_oxox0o/ (available as of this writing) and http://www.geocities.com/oxox0o_cary_oxox0o/ (unavailable as of this writing)
• Phishing Technique Used: Explicit Display of Phishing URL
• Overview: Obtaining victim’s Yahoo ID and password through spoofed URL. The spoofed URL appeared to be from a “known buddy or contact” that is advertised through IM via Yahoo Messenger.

Visited Site

The URL is advertised through instant messenger (IM) via Yahoo Messenger. The aim of the phisher is to entice a user to click on the given link and provide personal details by logging in through the spoofed Web site that it opens.

The IM comes with the following text:

http://www.geocities.com/oxox0o_angel_oxox0o/ ^:)^ guess where
this pic was taken and guess who is behind me in the picture

or

http://www.geocities.com/oxox0o_cary_oxox0o/ ^:)^ guess where
this pic was taken and guess who is behind me in the picture

The spoofed Web site bears a close resemblance to the legitimate Yahoo! Photo’s online login page, the phishers made no attempt to disguise the Phishing URL in the address bar. Ironically, the page is hosted by Geocities. It is thus possible for the user to determine that the Web site is not legitimate. The Phishing Web site asks the user for a user name and password.

Upon clicking on Sign In button, the gathered information is then sent to email address: oxox0o_angel_oxox0o@yahoo.com that can be found at the page source of the Phishing web site, http://www.geocities.com/oxox0o_angel_oxox0o/.