The following is a fairly elaborate example of phishing that seeks to steal passwords from Yahoo! It all starts with a fake email that simulates deactivating the account for the victim to click on a link:
An attentive user will notice that the URL points to a .info domainWhich is already a clear sign that something strange is happening. However, this detail could easily go unnoticed, when clicking the following page loads:
The design is very similar to that of Yahoo, anyone distracted or rushed could enter their password without noticing the deception.
There is an interesting detail of this attack, if one enters the false URL directly, the phishing page will not load. For it to load it is necessary to pass it some parameter after login_verify2, the attacker does it from the email by camouflaging the address of the victim in Base64, in addition to a message for the curious (humor is never lacking):
As we can see, it is a simple but well elaborated attack that can deceive many people. So as not to fall into these deceptions always check the links received and pay close attention to the URLs when requesting a password.
Finally I leave a screenshot of the header that is used, among other things, to see the IPs of the emails.
If you analyze you could find quite interesting things and even discover the phishing service used by the lick attacker, it could also be discovered by digging a bit in the fake domain: