Yahoo Mail introduced two-factor authentication in December 2011. Two-factor authentication can be used to prevent suspicious access to an account (login from a different country, numerous failed login attempts, etc.) and can be used to verify a user's identity when asking for a password reset.
Two-factor authentication has been in the news a fair bit lately as LinkedIn and Twitter have recently begun to offer the feature. We encountered an example whereby a phisher actually took advantage of heightened awareness of two-factor authentication to aid in an attack. The scam involved spoofed e-mails, which claim that all Yahoo users must turn on two-factor authentication:
Phishing e-mail to Yahoo Mail users
The e-mail has a spoofed FROM address (@yahoo.com) and a fake link to http://update.yahoo.com/. The user clicking on this link is actually redirected to a phishing page at http://www.antek.com/pics/tiles/yahoo.com.html as shown below:
Yahoo phishing page
At present, this URL is blocked by Google Safe Browsing (Firefox, Chrome, Safari) but not by Internet Explorer.
Yahoo is now shutting down their Yahoo Mail classic interface and forcing users to their new e-mail platform. This will no doubt be another great opportunity for phisher to take advantage of confused users.