[nsp-sec] yahoo (ymail) phishing dropbox

Marius Urkis marius at litnet.lt
Fri Nov 6 05:11:26 EST 2009 

Hi,

accountsupdates at ymail.com is used for username/password dropbox. See 
message below

Cheers
-- 
Marius

=============================
  Marius Urkis
  LITNET CERT
  http://cert.litnet.lt
  Tel: +370 37 300645
  GSM: +370 687 79059


-------------------------------------------------------------------
Received: from mx-2.ktu.lt (mx-2.ktu.lt [IPv6:2001:778::103])
	by luodis.sc-uni.ktu.lt (Postfix) with ESMTP id 1FC8D4A875;
	Fri,  6 Nov 2009 11:23:06 +0200 (EET)
Received: from localhost (localhost [127.0.0.1])
	by mx-2.ktu.lt (Postfix) with ESMTP id D338637B3C;
	Fri,  6 Nov 2009 11:23:05 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at mx-2.ktu.lt
X-Spam-Score: 0.013
X-Spam-Level:
X-Spam-Status: No, score=0.013 tagged_above=-999 required=5 
tests=[AWL=0.013]
Received: from mx-2.ktu.lt ([127.0.0.1])
	by localhost (mx-2.ktu.lt [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ZcfvOW5WXX7y; Fri,  6 Nov 2009 11:23:01 +0200 (EET)
X-Greylist: delayed 15376 seconds by postgrey-1.31 at margis; Fri, 06 
Nov 2009 11:22:40 EET
Received: from spamwall.lynx.net.lb (spamwall.lynx.net.lb [62.84.64.30])
	by mx-2.ktu.lt (Postfix) with ESMTP id A64B737AD3;
	Fri,  6 Nov 2009 11:22:40 +0200 (EET)
Received: from webmail.lynx.net.lb (localhost.localdomain [127.0.0.1])
	by spamwall.lynx.net.lb (8.13.8/8.13.8) with ESMTP id nA63uwtl020416;
	Fri, 6 Nov 2009 05:56:59 +0200
Received: from 62.56.132.25 (proxying for 170.150.0.224)
         (SquirrelMail authenticated user nicolas)
         by webmail.lynx.net.lb with HTTP;
         Fri, 6 Nov 2009 05:57:31 +0200
Message-ID: <c897e0ffb363748d6f8ca2900cab07b6.squirrel at webmail.lynx.net.lb>
Date: Fri, 6 Nov 2009 05:57:31 +0200
Subject: Dear Ktuwebpost Customer...
From: "Ktuwebpost Administrator" <yositeupdate at ktu.lt>
Reply-To: accountsupdates at ymail.com
User-Agent: SquirrelMail/1.4.19
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;

Dear Ktuwebpost Customer,

This Email is from Ktuwebpost Customer Care and we are sending it to every
Ktuwebpost Email User Accounts Owner for safety. we are having
congestion's due to the anonymous registration of web mail accounts so we
are shutting down some Ktuwebpost accounts and your account was among
those to be deleted. We are sending you this email so that you can verify
and let us know if you still want to use this account.

If you are still interested please confirm your account by filling the space
below. Your User name,password,date of birth and your country information
would be needed to verify your account. Due to the congestion in all mail
users and removal of all unused Ktuwebpost Accounts, Ktuwebpost would be
shutting down all unused Accounts, You will have to confirm your E-mail by
filling out your Log in Information below after clicking the reply button,
or your account will be suspended within 24 hours for security reasons.

*Email Username :..............
*Email Password :..............
*Date of Birth :..................
*Country or Territory: ........


After following the instructions in the sheet, your account will not be
interrupted and will continue as normal. Thanks for your attention to this
request. We apologize for any inconveniences.

Warning!!! Account owner that refuses to update his/her account after 48
Hours of receiving this warning will lose his or her account permanently.

Thanks.
Site Administrator.

More information about the nsp-security mailing list