This morning I received the following message in my Yandex.ru inbox:
I was only half awake when I read this and I almost followed the instructions in the email. But common sense prevailed: I suspected something was fishy and I decided to check this out. Turns out I was right: the address shown in the browser’s status bar when you move the cursor over the link is http://r.yandex.ru/…, which actually takes you to a page hosted by the freebie service tu1. ru. If you go directly to the address (by copying it from the browser window), you will find that there is no such site.
If you look deeper, you will find several other minor things that don’t match up:
- The email is missing at least one comma (according to Russian grammar rules);
- The email is suspicious in terms of the general rules of formal correspondence, i.e. the style of the email is strange;
- Why is the email address for “Yandex.ru Administration” email@example.com?
- If you open the link to the so-called “Yandex authorization service”, you’ll see a context ad in the upper right hand corner – an ad which is nowhere to be found on the official Yandex website.
This is a classic example of phishing. Phishing Russian services is still uncommon. As far as I can remember, this is the first mass phishing email using @yandex.ru addresses – at least of the ones that have got around spam filters. This gives phishers an element of surprise, and there’s no doubt that they’ll manage to harvest numerous passwords, even if their ploy is primitive and poorly thought out (if, for example, there are none of the careless mistakes such as the ones listed above).
It is easy to avoid phishing if you follow some simple rules: always make sure that the domain name of the link is question is authentic. In order to do this, you should not just click on it, but copy and paste it into a new browser window. If you do this, even the slickest phisher tactics used to disguise the real URL won’t work.
If you do fall for a phishing ploy and you entered your password on the page they sent the link to, change your password as soon as possible.