That Phishy Smell Is Coming from Yahoo

Updated: Opinion: It looks like Yahoo stepped into a mess when it started up its domain business. It's being taken advantage of.

Whos the phishiest hosting service on the Internet? According to Netcraft, an Internet security research and consulting firm, its Inktomi, part of Yahoo.

That last link is a dynamic page, but Ive been following it a little while, and it hasnt changed much. Most of the other players are a United Nations subcommittee of countries youd stereotype for Internet abuse: Russia, Korea, Taiwan, Brazil, etc. Big enough to have sophisticated Internet infrastructures, loosely run enough to allow illicit operations to run rampant. (Who are the phishiest countries in the world? Netcraft monitors them too.)

/zimages/3/28571.gifPhishing finds its way into Yahoo IM. Click here to read more.

So whats Yahoos excuse? Yahoos deserved place in this hall of shame (along with ThePlanet.com, another large U.S. hosting service) should be humbling to boastful Americans like me. Were the biggest part of the Internet, and were the biggest part of the problems with it.

A Yahoo spokesperson said, "Phishing is an industrywide issue and one that Yahoo takes very seriously. Yahoo employs a multifaceted approach to protect consumers against phishing scams, including the use of enhanced technologies, industry collaboration efforts, legislation and litigation efforts, and increasing consumer awareness. When we learn about phishing sites, we remove them as quickly as possible. Additionally, we worked with other companies to create and implement an expedited takedown process."

The main reason all this caught my attention lately is that I have received several phishing e-mails in recent weeks, all of them targeting Paypal and all hosted on Yahoo. I have attempted to report them to Yahoo through its standard abuse reporting facilities, but these facilities are behind the times and are monitored by employees who dont get the point.

Theres another part of this thats bothered me since it began, and thats the role of Melbourne IT, the Australian company for whom Yahoo resells domain registration services. The first of the phishing attempts I saw, later described in embarrassing detail by the Anti-Phishing Working Group, involved a domain named paypal-cgi.us. Obviously, domain registration is an automated process, but this is a pretty obvious infringement of a red-flag name.

Next page: Proper channels.