OpenID being Imitated in New Spam Wave

Security researchers from Barracuda Labs state that one new spam campaign is enticing end-users onto a malevolent website, which attempts at duplicating one service called the OpenID, in anticipation that potential victims would believe the spammers' assertion.

It maybe noted that OpenID serves websites in doing away with crafting user accounts for their own. Rather, it lets the clients of those sites access other websites via entering their login credentials. These other websites can be Gmail, Yahoo, Facebook or Twitter.

Based on the known idea about people generally being unaware of the OpenID's working process, the victims become effectively lured into giving away their credentials.

The spam mails appear as some real estate firm's offer for visiting the freshly-built properties in the recipients' locality that are also attractive and inexpensive and so ready to be traded. Alternatively, the e-mails provide a fake warning about certain UPS parcel under track. Once users click on the given web-link, they land on a bogus web-page apparently for logging in, but that page has a hijacked website hosting it.

Following the selection of OpenID, a particular page for logging in opens in the browser which tries to be the exact copy of the original.

When the researchers at Barracuda conducted an experiment wherein they chose Yahoo, there was an instant prompt for them to provide their Yahoo login details, although in the process some JavaScript got injected to the web-page. Nevertheless, the OpenID authentication doesn't use this way to work. For, if the authentication was genuine then the researchers would've been taken onto one protected Yahoo page that requested the credentials.

But, the researchers' credentials were hastily transmitted elsewhere that was a hijacked Internet-connected PC from where they'd go to the phishing scammer. Meanwhile, the Web-browser would keep on showing the actual website so there's no suspicion by the Internaut, the security experts elaborate.

And while the advantage of OpenID is in not having to create, alternatively create less of user-accounts, the disadvantage could be in users proceeding to select such a provider of OpenID that facilitates the exploitation of login details via an unsecured server connection, the experts conclude.

» SPAMfighter News - 5/15/2012