Online Trust Takes a Hit in Gmail Chat Phishing

Security expert are warning that a phishing attack on Google’s Gmail’s chat feature not only poses a danger to users, but could be a harbinger of things to come.

The attackers sent victims an instant message urging them to click a TinyURL link to check out a video. TinyURL.com is a service that shortens lengthy hyperlinks, making them easier to remember and share. But it’s also been used in a number of recent cases to obscure the origin of malicious links.

Clicking on that link then took victims to a Web site, ViddyHo.com, where they were asked for their Google (NASDAQ: GOOG) Account user name and password, according to Graham Cluley, a senior technology consultant at security consultancy Sophos.

Experts said that as a result of the attack, hackers could leverage the identities they steal to spawn new threats — with the added advantage that they’ll be originating from Google sites.

“The phishers behind the ViddyHo attack can use the stolen accounts to send spam through Gmail and host malware on Google Blogspot sites,” Stephan Chenette, manager of security research at Internet security vendor Websense (NASDAQ: WBSN), told InternetNews.com.

The attack comes as the latest example of how phishers and hackers are seeking ways to leverage Web sites’ good names to nefarious ends. Security experts say that attacks through social networking sites and other trusted sources such as Google threaten to break the trust model on which the Web is based.

“We’ll see even more of these attacks in 2009,” Chenette said.

Sophos’ Cluley told InternetNews.com that hackers are especially eager to take advantage of users’ relationships through instant messaging and social networking sites.

“You’re more likely to click on an IM or message from a friend than a stranger,” he said.

Tracking a phisher

It’s unclear who’s responsible for this latest attack. According to WHOIS records, the ViddyHo.com site is owned by a company called HappyAppy, and is hosted by free domain name server (DNS) and Web host FreeDNS.afraid.org.

Calls to the contact listed in WHOIS for HappyAppy were not returned by press time.

Joshua Anderson, FreeDNS.afraid.org’s senior administrator, told InternetNews.com in an e-mail that his organization suspended HappyAppy’s account Tuesday afternoon after learning the domain could have been used for the attack.

Anderson said he has yet to hear from ViddyHo.com’s owner. However, he added said that HappyAppy may not necessarily be responsible for the attack, since its site may have been hacked.

“If this is the case, we hope the domain owner is able to safely correct and mitigate the issue so that service may be restored,” Anderson said. “The DNS was suspended only to mitigate any possible threat to the Internet as per our terms of service.”

Page 2: Trust under siege

Page 2 of 2

Other parties impacted by the attack also said they responded rapidly.

A Google spokesperson told InternetNews.com in an e-mail that the Web search giant has blocked the addresses used to send the phishing messages.

“Users of Firefox, Safari and Google Chrome will receive a phishing warning when trying to visit the ViddyHo.com site,” the spokesperson said. “We have also identified ViddyHo.com in our search results as a phishing site.”

The spokesperson added that Gmail users who entered their information at ViddyHo.com should change their Google Account password and update their security question.

For Google, the attack marks the third time in a month that it’s had to cope with high-profile problems. On Tuesday, the Internet search giant’s Gmail service suffered a service outage lasting several hours. On Jan. 31, a Google engineer accidentally caused the search engine to erroneously label every site in its search results as hosting malware.

TinyURL founder and owner Kevin Gilbertson told InternetNews.com that he immediately blocked URLs going to ViddyHo.com after getting e-mails complaining about the phishing attack. He also said that the attackers generated around 9,500 different URLs leading to ViddyHo.com.

The latest phishing ploy is also the most recent in a string of high-profile attacks involving TinyURL. A phishing attack that hit thousands of users of the Twitter micro-blogging service in January was successful because victims clicked on a truncated TinyURL purporting to have been sent by their friends.

Another exploit in February relied on TinyURL to hijack Twitter users’ status to spread itself around the microblogging network.

In both cases, the truncated URL from TinyURL used by ViddyHo helped disguise the attack. “It’s difficult to know where you’re going when you see a truncated URL,” Sophos’ Cluley said.

However, TinyURL’s Gilbertson contends that using the truncated URL could actually offer an additional layer of protection to users, because there is one more entity that can discover abuse sooner and take action.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web