Updated: Google Talk Worm Origin Found?
"Hey check out this video! http://tinyurl.com/xyz,"; says an old friend by Google Talk IM. Well sure, you think, I'd love to see a video from you - it's been a long time! Maybe you got an IM like that this afternoon, too. Maybe you got six.
There's nothing wrong with clicking on such a link, but when the site that loads as a result, Viddyho.com, asks for your Google Talk username and password in order to view the video - then you should know that trouble is afoot. Surprisingly, a whole lot of tech savvy people fell for it today. Update: The Harvard Crimson says it has unearthed the person responsible for the Viddyho worm.
Daniel Carroll reported tonight on the Harvard Crimson newspaper's site that he did a little tracing backwards, further than other reporters on the story had, and found that a San Franciscan named Hoan Ton-That appears to be responsible for the site that was harvesting the user credentials of worm victims. Ton-That's web hosting account has been suspended, Carroll reports that he's learned from the company. The alleged author of the worm didn't respond to his requests for comment but has a twitter account here and apparently was in this author's home town of Portland, Oregon just last week. (We were not plotting the attack together, I swear.) Ton-That's Twitter bio reads: "Anarcho-Transexual Afro-Chicano American Feminist Studies Major" - which sounds like either an immature joke or a pretty bad ass bio to us.
The Tech Issues
We do think there are some big issues to discuss here, too, though.
The fact that many otherwise tech savvy people are falling for this trap shows that legitimate experiments in user authentication (like OpenID) still have a whole lot of explaining to do and secure APIs need more adoption. This could just as easily have been Facebook or Twitter that hijacked your Google Talk account - we give them our passwords and just trust that they won't.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
I'm sorry, but I think you are confused on how OpenID works. You only enter your OpenID URI at the website you want to log on to using OpenID. You never enter a password until you get to your OpenID host, which doesn't tell the website that you just logged onto what it is.
Elijah, *I* know how OpenID works just fine. I can give you a list of respected people in tech who are confused, though, judging from their susceptibility to this attack. I'm pretty sure that anyone who hands over their GTalk pw in this case did so because they are confused about how 3rd party authentication systems, like OpenID, work.
Marshall, that's not it at all. I'm a tech person who knows full well how OpenID works, and I use it whenever I am able to. The link came from a good friend (also a geek), so I trusted it. And people who trusted me fell for it too.
It's pure and simple social engineering. And it worked. (Well, only once. Probably never again.)
Yes, if *every* site used OpenID, then this wouldn't work, but we're still in the realm where most don't.
ah that explains it - thanks
Posted by: mike "glemak" dunn
|
February 24, 2009 4:08 PM
Testing Facebook Connect comment - hopefully someday OpenID will be as clear and simple as this is.
If I can compromise one account on a trusted network, in time I can arguably compromise everyone.
For example: I compromise your FB account. I send a link to all of your friends saying watch this (your favorite band) music video. The majority click the link. The site says they need to update their flash player. They click the "make it work" button. I install malicious keylogger. I now have access to everything.
If I can easily attack and exploit a trusted network, then how can you call it trusted?
This is why "strong authentication" (something more than a password) is soooooo important. It makes it much harder for a hacker to harvest account credentials.
His name is definitely Vietnamese. Heh
Got ya! anywayz, this serves as a reminder to all of us to check everything before giving personal infos.
Yep, agree with Michelle here. What made this such an effective scam was that the links were coming from trusted sources.
Sorry, but if it had been one of my 600 FB "friends" there's no way I would have fallen for it, but since it came from a trusted colleague in Gchat I didn't think twice about it. I actually thought she was promoting a podcast she was on and I needed to login to be able to comment in real time.
It has been probably 10 years since I've fallen for anything like this, and luckily the consequences (so far) haven't been too bad - aside from spamming the rest of my friends.
Needless to say, this is the last time!
Listen, this is an age old problem that's not going to be eliminated overnight. You can't stop people out there from devising these things.
You CAN however continue to devise digital security to begin to keep up with it.
I think it's more of a maintenance thing.
I was browsing http://www.justaskgemalto.com recently and found a great deal of information.
I guess we just have to keep trying.
Ridiculuous, who would fall for that? As the links were from trusted sources though it probably would have been me.
FYI, this phishing scam has resurfaced.
I was not aware of this scam until this morning, 3/10/09, when a friend passed me the link.
NOTE: the NEW domain being used is
FASTFORWARDED.com
Registered on 2/24/09
http://whois.domaintools.com/fastforwarded.com
I think the simplest way to avoid your information being comprised in this way is to simply ask the source before you enter your information. There will always be a more clever scheme, but direct communication with a known associate is hard to manipulate