If the user follows the link, they’re presented with an authentic looking login page where the phishing attack takes place. The username and password entered here are delivered to the attackers for further exploitation. With these credentials, criminals can hijack paid advertisements, replacing legitimate ads with their own malicious links or code.
The “hook” in this scam is a classic warning of impending account closure. The domain being used to serve the phishing attack was registered only today, but has an authentic ring to it. The URLs also use a marketingsolutions.yahoo subdomain to make the URL seem more authentic.
At the time of detection, none of the major search engines or public phishing lists detected this URL as malicious.