tag:,2009:/1/tag:www.readwriteweb.com,2009://1.13987- 2009-11-23T17:31:06Z Comments for Updated: Google Talk Worm Origin Found? Movable Type 4.23-en tag:www.readwriteweb.com,2009://1.13987 2009-02-24T22:37:24Z 2009-02-25T10:18:42Z Updated: Google Talk Worm Origin Found? "Hey check out this video! http://tinyurl.com/xyz,"; says an old friend by Google Talk IM. Well sure, you think, I'd love to see a video from you - it's been a long time! Maybe you got an IM like that this afternoon, too. Maybe you got six. There's nothing wrong with clicking on such a link,... Marshall Kirkpatrick http://www.readwriteweb.com googletalklogo105-2.jpg"Hey check out this video! http://tinyurl.com/xyz,"; says an old friend by Google Talk IM. Well sure, you think, I'd love to see a video from you - it's been a long time! Maybe you got an IM like that this afternoon, too. Maybe you got six.

There's nothing wrong with clicking on such a link, but when the site that loads as a result, Viddyho.com, asks for your Google Talk username and password in order to view the video - then you should know that trouble is afoot. Surprisingly, a whole lot of tech savvy people fell for it today. Update: The Harvard Crimson says it has unearthed the person responsible for the Viddyho worm.

]]> Daniel Carroll reported tonight on the Harvard Crimson newspaper's site that he did a little tracing backwards, further than other reporters on the story had, and found that a San Franciscan named Hoan Ton-That appears to be responsible for the site that was harvesting the user credentials of worm victims. Ton-That's web hosting account has been suspended, Carroll reports that he's learned from the company. The alleged author of the worm didn't respond to his requests for comment but has a twitter account here and apparently was in this author's home town of Portland, Oregon just last week. (We were not plotting the attack together, I swear.) Ton-That's Twitter bio reads: "Anarcho-Transexual Afro-Chicano American Feminist Studies Major" - which sounds like either an immature joke or a pretty bad ass bio to us.

The Tech Issues

We do think there are some big issues to discuss here, too, though.

The fact that many otherwise tech savvy people are falling for this trap shows that legitimate experiments in user authentication (like OpenID) still have a whole lot of explaining to do and secure APIs need more adoption. This could just as easily have been Facebook or Twitter that hijacked your Google Talk account - we give them our passwords and just trust that they won't.

gtalkphishing.jpg

]]> tag:www.readwriteweb.com,2009://1.13987-comment:127711 Comment from Elijah Grey on 2009-02-24 Elijah Grey http://eligrey.com/ I'm sorry, but I think you are confused on how OpenID works. You only enter your OpenID URI at the website you want to log on to using OpenID. You never enter a password until you get to your OpenID host, which doesn't tell the website that you just logged onto what it is.

]]> 2009-02-24T23:21:04Z tag:www.readwriteweb.com,2009://1.13987-comment:127712 Comment from Marshall Kirkpatrick on 2009-02-24 Marshall Kirkpatrick Elijah, *I* know how OpenID works just fine. I can give you a list of respected people in tech who are confused, though, judging from their susceptibility to this attack. I'm pretty sure that anyone who hands over their GTalk pw in this case did so because they are confused about how 3rd party authentication systems, like OpenID, work.

]]> 2009-02-24T23:27:28Z tag:www.readwriteweb.com,2009://1.13987-comment:127718 Comment from Michelle Murrain on 2009-02-24 Michelle Murrain http://zenofnptech.org Marshall, that's not it at all. I'm a tech person who knows full well how OpenID works, and I use it whenever I am able to. The link came from a good friend (also a geek), so I trusted it. And people who trusted me fell for it too.

It's pure and simple social engineering. And it worked. (Well, only once. Probably never again.)

Yes, if *every* site used OpenID, then this wouldn't work, but we're still in the realm where most don't.

]]> 2009-02-24T23:56:55Z tag:www.readwriteweb.com,2009://1.13987-comment:127720 Comment from mike "glemak" dunn on 2009-02-24 mike "glemak" dunn http://friendfeed.com/glemak ah that explains it - thanks

]]> 2009-02-25T00:08:00Z tag:www.readwriteweb.com,2009://1.13987-comment:127728 Comment from Marshall on 2009-02-24 Marshall Testing Facebook Connect comment - hopefully someday OpenID will be as clear and simple as this is.

]]> 2009-02-25T01:46:40Z tag:www.readwriteweb.com,2009://1.13987-comment:127731 Comment from Luke on 2009-02-24 Luke http://blog.vidoop.com If I can compromise one account on a trusted network, in time I can arguably compromise everyone.

For example: I compromise your FB account. I send a link to all of your friends saying watch this (your favorite band) music video. The majority click the link. The site says they need to update their flash player. They click the "make it work" button. I install malicious keylogger. I now have access to everything.

If I can easily attack and exploit a trusted network, then how can you call it trusted?

This is why "strong authentication" (something more than a password) is soooooo important. It makes it much harder for a hacker to harvest account credentials.

]]> 2009-02-25T02:15:56Z tag:www.readwriteweb.com,2009://1.13987-comment:127771 Comment from Tien on 2009-02-25 Tien His name is definitely Vietnamese. Heh

]]> 2009-02-25T11:21:49Z tag:www.readwriteweb.com,2009://1.13987-comment:127782 Comment from ITrush on 2009-02-25 ITrush http://www.itrush.com Got ya! anywayz, this serves as a reminder to all of us to check everything before giving personal infos.

]]> 2009-02-25T13:53:17Z tag:www.readwriteweb.com,2009://1.13987-comment:127793 Comment from Zack B. on 2009-02-25 Zack B. http://twitter.com/zebee Yep, agree with Michelle here. What made this such an effective scam was that the links were coming from trusted sources.

Sorry, but if it had been one of my 600 FB "friends" there's no way I would have fallen for it, but since it came from a trusted colleague in Gchat I didn't think twice about it. I actually thought she was promoting a podcast she was on and I needed to login to be able to comment in real time.

It has been probably 10 years since I've fallen for anything like this, and luckily the consequences (so far) haven't been too bad - aside from spamming the rest of my friends.

Needless to say, this is the last time!

]]> 2009-02-25T15:01:27Z tag:www.readwriteweb.com,2009://1.13987-comment:127870 Comment from Janet Altman on 2009-02-25 Janet Altman Listen, this is an age old problem that's not going to be eliminated overnight. You can't stop people out there from devising these things.

You CAN however continue to devise digital security to begin to keep up with it.

I think it's more of a maintenance thing.

I was browsing http://www.justaskgemalto.com recently and found a great deal of information.

I guess we just have to keep trying.

]]> 2009-02-26T01:20:31Z tag:www.readwriteweb.com,2009://1.13987-comment:128849 Comment from Chris on 2009-03-05 Chris http://www.weirdwarp.com Ridiculuous, who would fall for that? As the links were from trusted sources though it probably would have been me.

]]> 2009-03-05T09:38:13Z tag:www.readwriteweb.com,2009://1.13987-comment:129384 Comment from Lee on 2009-03-10 Lee FYI, this phishing scam has resurfaced.

I was not aware of this scam until this morning, 3/10/09, when a friend passed me the link.

NOTE: the NEW domain being used is

FASTFORWARDED.com

Registered on 2/24/09

http://whois.domaintools.com/fastforwarded.com

]]> 2009-03-10T16:42:24Z tag:www.readwriteweb.com,2009://1.13987-comment:130804 Comment from Emily on 2009-03-24 Emily http://www.globalcrypto.com I think the simplest way to avoid your information being comprised in this way is to simply ask the source before you enter your information. There will always be a more clever scheme, but direct communication with a known associate is hard to manipulate

]]> 2009-03-24T17:35:21Z