The old X Files adage aptly applies to the Internet these days: Trust no one. Some Gmail users, already miffed about previous service outages, were invited through Google Talk to watch a video by clicking a link. Of course, bad news awaited.
It could have been really bad news if they’d actually followed the destination site’s instructions to enter their Gmail passwords. Called ViddyHo, the website is an obvious phishing ploy to those in the know. But those trusting who appear to be old buddies may have thought it was another application service that asks for access to your email box to populate friends lists.
In this case, it was the old Rickroll out of control. In addition to appearing to be a message from friend, the URL was shortened so that the clicker had no indication of where he or she was clicking out to.
One victim said he thought the message was a from a guy he hadn’t seen in years, and couldn’t resist the enticing LOL that preceded it. Another accompanying message stated “Check this out.”
This latest attack shows that scammers have moved beyond spam and other classic techniques and have begun targeting large, respected companies and social media. Their biggest weapons are various URL shorteners, which reduce and redirect to long URL strings that won’t fit into a microblogging or status update field with character limits. While convenient to regular users, they can be dangerous because a clicker doesn’t know where the link is leading him.
Shortened URLs have left Twitter and Facebook users especially vulnerable.
TinyURL, the service used in the Google Talk attack, blocked links from resolving to the ViddHo site in response. Perhaps the best way to check shortened URLs is to use LongURL.org to verify or to install a Firefox extension that reveal the destination URL upon a mouseover.
