I'll use a perfect example for this. Going through my "catcher account" (the email address I use to collect scammer emails) I had an email claiming "FINALLY YAHOOBeta IS HERE".
Now, a lot of people will click on the link, assuming they're being sent there by Yahoo. Not so fast Grasshopper. Firstly, let's check the email address out.
Well, it's from a Yahoo address. That's a start at least. How about the IP address. Where does that lead to?
Well that's fishy (or "phishy" if you will). Yahoo is in Sunnyvale, California. Wouldn't they send them from their own server, not Egix? I smell a rat. Now, let's look at that link. If you hover your mouse over the link, you should see the link location appear at the bottom of the browser's window.
Well that's not right. No, not right at all. TinyURL is a brilliant site that makes long website names short. Easier for posting and sharing, but also easier for hiding the true location. If you see a link, and hovering over it doesn't give you the address it should, or if it shows up as a TinyURL, be VERY suspicious. Now, for educational purposes only, I clicked on the link. I would never advise anyone to do so in case the link installs a virus on your PC. However, I happen to be an expert. I also have a laptop that only runs Linux, so any Windows based virus won't be able to install itself onto it. Here's the URL it sent me to.
Chembx? What the hell is that? That's not Yahoo! The site certainly LOOKS like yahoo tho.
Let's do a whois on this, shall we? This is what we see.
Registrant:
CEEJAY COMMUNICATIONS
#24 Egbe Road
Oke-afa Isolo
Isolo, Lagos 23401
Nigeria
Registered through: GoDaddy.com, LLC (
http://www.godaddy.com)
Domain Name: CHEMBX.COM
Created on: 21-Jun-10
Expires on: 21-Jun-12
Last Updated on: 14-Jun-11
Administrative Contact:
COMMUNICATIONS, CEEJAY
domains@ceejayhost.com #24 Egbe Road
Oke-afa Isolo
Isolo, Lagos 23401
Nigeria
+234.08085089527
Technical Contact:
COMMUNICATIONS, CEEJAY
domains@ceejayhost.com #24 Egbe Road
Oke-afa Isolo
Isolo, Lagos 23401
Nigeria
+234.08085089527
Domain servers in listed order:
NS1.CEEJAYHOST.COM
NS2.CEEJAYHOST.COM
An email has been sent to ceejayhost.com reporting the phishing site. Let's see how long it takes them to remove it.