Phishers hooking Facebook, Twitter, Google, Yahoo passwords

Phishers hooking Facebook, Twitter, Google, Yahoo passwords

Summary: Phishers are actively trolling the Internet trying to trick users into giving up their OpenID-based log-in credentials to popular social networking sites.


Scammers have launched a campaign preying on users of OpenID in an attempt to steal log-in credentials, according to Barracuda Labs.

Barracuda security researchers Dave Michmerhuizen and Luis Chapetti say they are seeing specially built log-in pages that appear similar to pages used as part of the OpenID authentication process. When users type in their credentials, the data is collected by a rogue website, which sends back a message that the credentials have been validated.

OpenID is a protocol that allows users to log into one Web site using their credentials from another Web site - typically Facebook, Twitter or Google.

The researchers said the scam uses one of two e-mail messages. One directs users to a compromised real estate page in Australia and the other appears to be a UPS notification and re-directs users to a fake UPS log-in page.

The scam does not expose a weakness in the OpenID protocol, but is taking advantage of users' lack of familiarity with the credential exchange process.

Typically, a user who wants to sign-in - or authenticate - to a Web site is presented with a log-in screen from the domain of the Web site that provided the identity - which is known as the identity provider (IdP). There, the user enters their credentials.

The scam uses some on-page JavaScript to present a log-in page with the logos for IdPs such as Facebook and Google, but the user is not within their IdP's domain as is typical for OpenID authentication.

Users can tell the log-in page is a fraud by the lack of a browser bar.

"OpenID originally only supported full-frame redirection to the IdP to try and make the browser bar clear," says John Bradley, treasurer at the OpenID Foundation. (Disclaimer: Bradley accepted a position with my employer, Ping Identity, last week). "While some IdP's support a popup window with browser bar, none should support an iframe."

In addition, users that are already logged into their IdP should never be asked to again enter their credentials.

"IdP's are trying to train users that when they go to a [web page] they should only see a consent page and not be asked for their credentials again if they are already logged in," Bradley said.

The OpenID Foundation, which is nearing completion of a new and more robust OpenID specification called OpenID Connect, is working on a standard user interface called Account Chooser intended to provide a uniform log-in page for all OpenID users and providers.

The Barracuda Lab researchers said in their report that "there are excellent reasons to use OpenID. Website administrators don't have to store and care for a password for your account, and you can reduce the number of user accounts and passwords that you manage."

But they warned that users need to be "very observant and make certain that your credentials are being requested using a secure connection to the [IdP's] servers."

See also:

Topics: Social Enterprise, Google, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Identity

    I take away from this a practice that may seem tedious but that I maintain, to set up a separate login for individual sites that I want to login and do not log in with credentials from any other site.
  • Netsso is easier, safer for managing passwords

    Rather than use the same username/password everywhere- whether it be OpenID, Facebook, or whatever...just use complex, different credentials for diffrerent destinations and then record them in your, and let Netsso remember and enter them for you and log you in to the places you want to go to, from any PC, with a double click. Then, the only credentials you have to rememebr will be your Netsso ones. Its a single sign on personal private web portal. (Disclaimer: I work there !)