So today when I logged into Thunder bird to check my email, what do I see but a notification from Orkut asking me to verify my account or else it will be deleted.
Same old phishing scams which seem to be a dime a dozen these days. The email is pasted below as it is:
Dear <my actual account name>,
Your orkut account is under consideration for temporarily deactivation due to unlimited invalid attempts to login. If you have forgot your password, click here. [actual link to Google]
If you feel this is wrong, it means somebody else has tried to gain invalid access to your account. For further inconvenience and security reasons, you are requested to verify your orkut account now. Please use the link given below for your account verification and login.
Click here to verify your orkut account. [The bait link comes here, and points to – http://orkutverifyuser.elementfx.com/google_accountsF3s2service3s2orkut/
If you are not verifying your account, it will be permanently deactivated as per our Terms of Service. [Actual link]
This is an automatically generated message, please do not reply.
* * *
To control notification emails, access your Account Settings:
http://www.orkut.com/Settings.asp [Actual link]
Note the incorrect URL – http://orkutverifyuser.elementfx.com
Earlier I had come across a slightly different variant of the same scam. I remember I had eagerly sat down to unravel the inner dynamics of it. Unlike the present one, the whole thing was pretty amateurish.
Basically anybody who knew the right websites and little bit of HTML could create a fake website with a form mailer on a shared domain host that allowed free hosting.
Using basic social engineering techniques, other users could be fooled into entering their details on the fake page, which would then do two things – mail the credentials to the script kiddie and redirect the unsuspecting victim to a genuine login failed page.
The scam had led to pretty intense ‘cyber war’ between the members India and Pakistan on Orkut with each group actively working at enticing the moderators of rival communities to click on links and enter their login credentials.
I tried studying the latest scam but the actual form which emails the credentials is in a .PhP file and has restricted access. [<form method=”POST” action=”FR2userverifyFR2codeD0ab2541gs23y6785.php”>] . Somebody sure went to great lengths to achieve the ISO in phishing, if ever there was one.
Summing It Up
The bad part first.
– The email contained my name as entered in the Orkut account. Usually fake emails contain something generic as Dear Orkut User etc. If the scammers have been able to harvest account names from Orkut, it could mean a potential breach of the site.
– The hosting service seems to have already disabled the account. If you enter the top level domain name in the browser that’s the message you get.
– Normally I use Firefox for personal browsing but for this link I specifically used IE. The installed anti virus on my laptop immediately found that the site was potentially dubious and gave me a warning.