Phishers hooking Facebook, Twitter, Google, Yahoo passwords

Phishers are actively trolling the Internet trying to trick users into giving up their OpenID-based log-in credentials to popular social networking sites.

Scammers have launched a campaign preying on users of OpenID in an attempt to steal log-in credentials, according to Barracuda Labs.

Barracuda security researchers Dave Michmerhuizen and Luis Chapetti say they are seeing specially built log-in pages that appear similar to pages used as part of the OpenID authentication process. When users type in their credentials, the data is collected by a rogue website, which sends back a message that the credentials have been validated.

OpenID is a protocol that allows users to log into one Web site using their credentials from another Web site - typically Facebook, Twitter or Google.

The researchers said the scam uses one of two e-mail messages. One directs users to a compromised real estate page in Australia and the other appears to be a UPS notification and re-directs users to a fake UPS log-in page.

The scam does not expose a weakness in the OpenID protocol, but is taking advantage of users' lack of familiarity with the credential exchange process.

Typically, a user who wants to sign-in - or authenticate - to a Web site is presented with a log-in screen from the domain of the Web site that provided the identity - which is known as the identity provider (IdP). There, the user enters their credentials.

The scam uses some on-page JavaScript to present a log-in page with the logos for IdPs such as Facebook and Google, but the user is not within their IdP's domain as is typical for OpenID authentication.

Users can tell the log-in page is a fraud by the lack of a browser bar.

"OpenID originally only supported full-frame redirection to the IdP to try and make the browser bar clear," says John Bradley, treasurer at the OpenID Foundation. (Disclaimer: Bradley accepted a position with my employer, Ping Identity, last week). "While some IdP's support a popup window with browser bar, none should support an iframe."

In addition, users that are already logged into their IdP should never be asked to again enter their credentials.

"IdP's are trying to train users that when they go to a [web page] they should only see a consent page and not be asked for their credentials again if they are already logged in," Bradley said.

The OpenID Foundation, which is nearing completion of a new and more robust OpenID specification called OpenID Connect, is working on a standard user interface called Account Chooser intended to provide a uniform log-in page for all OpenID users and providers.

The Barracuda Lab researchers said in their report that "there are excellent reasons to use OpenID. Website administrators don't have to store and care for a password for your account, and you can reduce the number of user accounts and passwords that you manage."

But they warned that users need to be "very observant and make certain that your credentials are being requested using a secure connection to the [IdP's] servers."

See also: