Phishing campaign uses Yahoo breach to hook email

The Yahoo breach news is another opportunity for industrious criminals prey on user concern about account security. Here's what to look for in the latest phishing hook

10 phishing
Thinkstock (Thinkstock)

It took about….what? a day?... for criminal phishers to take advantage of this week’s Yahoo breach news and create emails that they hope will fool Yahoo mail users into thinking their account “needs updating.”

I have a Yahoo mail account and received this email Thursday.  It notifies me that my account access is “temporarily limited for failing automated security server update.”  It then helpfully asks me to “kindly upgrade” my email with the link below to re-verify account ownership “or you will be locked out,” it adds ominously.

yahoo mail CSO staff

The phish preys on concerns about account security and aims to fool people after Yahoo officials issued email messages this week warning users that their accounts may have been compromised.

In the messages, Yahoo CISO Bob Lord says a forged cookie may have been used to access their accounts in previous years. In December, Yahoo reported that data associated with more than 1 billion user accounts was stolen in August 2013. Less than three months earlier, the company reported a separate data breach affecting more than 500 million users that originally occurred in late 2014.

This phishing email can be identified as fraudulent due to a few telltale features. Take a look at what’s in the send field. It simply says "‪Mail" and the address it was sent from is <Z1761554@students.niu.edu>‪. From this, we know that it is being sent from an address that does not originate with Yahoo’s mail team. It appears to associated with Northern Illinois University.  I doubt that Yahoo has moved its mail team operations to NIU, so we know something is not right.

yahoo mail highlight CSO staff

The language used is another feature that gives it away as a phishing email.  While this message has slightly better grammar and punctuation than many of the phishing emails out there, noting the account is “temporarily limited for failing automated security server update” sticks out as an attempt to sound technical, but lacks the right sentence structure. Asking me to “kindly upgrade my email” also looks off for an official security notification.

Phishing emails can vary widely, from sophisticated and hard to spot, to crude and easy to point to as a scam.  But spammers will consistently use well-known business names and current events in the hope of tricking you into giving up your sensitive information, like passwords and social security numbers. If you are being asked to click a link or download a document, do not trust and always verify. In a situation like this, head over to the Yahoo site yourself and use the contact information provided to ask questions.

For more tips on spotting phishing emails, check out our slideshow Can you spot the phish?

New! Download the State of Cybercrime 2017 report