Yahoo! Settlement. PHOTO: Cybercrime Magazine.

Yahoo! Data Breach Settlement: What Can We Expect from Cybercriminals?

Beware of Fake Settlement Websites

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Oct. 29, 2019

Yahoo! suffered a series of data breach attacks between 2012 and 2016, which exposed a total of 3 billion user accounts and resulted in a considerable settlement cost of US$117.5 million for the company. The users’ first and last names, email addresses, security questions and answers, passwords, and dates of birth comprised the stolen information, which put all those affected at further risk of cyber attacks, fraud, and identity theft.

Last month, Yahoo! sent out notifications detailing its data breach settlement, along with how users can potentially claim for benefits should they prove eligible. Affected users from the U.S. and Israel who had free email accounts registered from January 2012 to December 2016 can get between US$100 and US$25,000 provided they present proof of damage or opt for free credit monitoring for two years. Small businesses, meanwhile, can also get as much as 25 percent cost rebate from their affected premium accounts. More details on the Yahoo! case settlement can be found on the email provider’s official website,

Filing for claims is not the end of the line though for those whose data was compromised; they would do well to watch out for instances of identity theft too.

Fake Settlement Websites: A Potential Repercussion

Cybercriminals are known for using current events and hot and timely topics such as data breach incidents and settlements as a social engineering bait. Take the case of Equifax, for instance. Immediately after reports came out about the incident, scammers posing as the company’s employees asked users to verify their account information via forged emails and fake websites.

When Equifax announced settlement details and informed victims where they could file claims, several fake websites mimicking its settlement website surfaced. Those who are not cautious enough may end up exposing even more personally identifiable information (PII) instead of obtaining remuneration from what they already lost. Cybercriminals may end up selling their PII in underground markets for hefty sums or using this for future attacks.

We wanted to see if the Yahoo! announcement would have the same effect. So we did a quick search using terms like “yahoo data breach settlement” and found related newly registered domains.

As early as September 1, we saw 30 active domains with misspelled variations of the keyword. We dug deeper into these domain name results (note: do not visit or share without utter caution):











































The domains in the list were mostly registered in the U.S. and China. We used domain research and monitoring tools to track the progress of potential threat sources. We found that the volume of potential phishing sites peaked on September 1, four days before the official settlement announcement, and gradually declined toward the next weeks.

A closer look at WHOIS data revealed that these domains seem to be parked. Although we cannot explicitly say there is an ongoing cyber attack, this doesn’t rule out any possibility of such either. Attackers may still be in the planning stage and so created these domains as part of the preparation. Since victims could claim for damages until July 2020, they have time to lure them instead to their fake websites. The domains could also be honeypots for further attacks.

One thing is clear, however: Bulk domain registration may have been done for a typosquatting or cybersquatting attack in the works. An attacker is likely spoofing the Yahoo! settlement domain in hopes that claimants would land on his fake page through a typo. If that happens, the attacker could use the claimants’ Yahoo! credentials on the real page and keep the money for himself. Even worse, the attacker could further distribute these victims’ details by selling their newly captured personal information through the various online dark-web databases — leading to a second round of identity abuse.

We looked at the WHOIS record of one of the spoofed domains (ahoodatabreachsettlement(.)com) via the same suite of products and learned the following details:

  • Date and time the domain was created, when it will expire, and when it was last updated
  • Location
  • Hostnames
  • Registrant name and contact details

The above-mentioned bogus link was created on August 31 and set to expire in one year. It was registered in California, U.S.A., by an organization called “Super Privacy Service LTD c/o Dynadot.” And this is not Yahoo!  Dynadot is a large company dealing with domain name business and hosting, so if there are eventually some bad guys behind these domains, it is them who can serve with more details about the clients whose privacy they warrant here.

Law enforcement agents can use WHOIS information for further investigation. Yahoo!, meanwhile, whose brand is clearly being abused by malicious actors, can file for trademark infringement and ask the authorities to take down the sites that could put its users in even greater peril.

What Can Potential Yahoo! Settlement Claimants Do?

We’ve learned from past security incidents that bad guys always take advantage of what’s newsworthy, be they political events, pop culture trends, celebrity news, disasters, and data breaches. If you’re already a breach victim like those whose Yahoo! credentials were stolen, you may not want to suffer even more. To avoid further damage, heed these best practices:

  • Verify if the link you wish to access is indeed the official data breach settlement website.
  • Check if the email is indeed from your account provider. Check for typos and grammatical errors in the email address and the message content.
  • Confirm if the email is legitimate, especially if it involves finance-related doings. A quick phone call to Yahoo!, for instance, would help (but don’t dial the phone number in the email, look at the Yahoo! contact page instead).
  • Never click embedded links in and download attachments to emails from unknown senders. You’ll likely end up infecting your system.
  • No respectable company would ever ask you to reveal PII via email. That’s an automatic red flag that you may be dealing with a cyber attacker.
  • Use a reliable security solution to block spam, access to known malicious websites, and malware.

How Can Yahoo! Prevent  Brand Abuse and Thwart Attacks?

With over 300,000 new domain registration changes occurring daily, enterprises need to take a proactive stance against ploys that abuse their brands for malicious ends. A domain brand monitoring tool can serve as the “starting point” in identifying this type of activity, so Yahoo!’s teams can immediately begin charting out these potential attackers using IP, DNS, and WHOIS tools to understand further their motives and degree of the threat — i.e., whether it is phishing, brand infringement, or copyright infringement.

Once the potential attackers and their infrastructure have been identified, Yahoo! could continue to track any registrants, capture website screenshots, and gather additional digital footprints for submission to the authoritative registrars and hosting companies.

With an entire suite of domain research and monitoring tools, any business can secure their intellectual property and protect their brand image and reputation, along with their customers’ data even before attacks are carried out. By thwarting potential brand abusers, they can be assured that their customers won’t fall for phishing and other cyber attacks that exploit their popularity.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.