By Dave Michmerhuizen – Research Scientist, Luis Chapetti – Security Researcher
Spammers are always on the lookout for ways to trick you into clicking on the links they send out, and one of their favorite ploys is to use poorly crafted redirect URLs. While there are plenty of legitimate reasons for using URL redirection, web designers sometimes make URLs available that redirect to any destination without considering the ramifications. The programmers responsible for labor.vermont.gov certainly didn't know that spammers would take advantage of an open URL redirect on their site that was recently uncovered.
Apparently the programmers responsible for Yahoo's web authentication stack aren't aware of a similar weakness in their software. Spammers are though. Our spam monitoring systems recently turned up this email that hides a phishing webpage behind a Yahoo.com link.
This Portugese email poses as a Mastercard sponsored drawing of some sort, offering cars, laptops and even cash. All you need to do is press the button and sign up.
Our eyes were drawn to the URL for the button. “Does this really work?” we asked ourselves, and it turns out that the answer is yes, it does. Any link prefaced with http://login.yahoo.com/config/reset_cookies_token?.done= will redirect the browser to a URI parameter following the ‘=' while initially appearing to be part of Yahoo.com. We went ahead and pressed the button and recorded this redirect.
We were directed to this phishing web page hosted on an often-abused freehost subdomain of .ms (Montserrat), br.ms. Not the sort of outfit you would expect Mastercard to be using.
The bravado of this page is overwhelming. Not only does it ask for all of your credit card information but they request your Brazilian Tax ID (CPF) number as well. We filled in dummy data and watched as it was sent back to the malicious site in clear text.
Spammers are using every angle they can to make their emails seem legitimate. Your best defense is to steer clear of them. If you get an email from your bank, visit the bank website independently. If you see a Mastercard promotion in your inbox, browse to mastercard.com and investigate it there. Don't trust links emailed to you, even if they seem to be good. There's no upside in taking chances.