It seems Google can’t catch a break. Just hours after Google’s Gmail service was hit by an outage that lasted several hours, Google Talk became the victim of a phishing scam.
Users of the instant messaging service received a TinyURL link that appeared to be from friends on their buddy lists. When a user clicked the link, it would take him to a webpage that asked for his Google username and password. After doing so, the program would send similar messages to everyone on the user’s contact list. While many consumers have “wised up” to e-mail messages from purported banks and credit card companies phishing for login information, many users are not accustomed to receiving suspicious communications via instant messaging chat sessions. As a result, some users will be more likely to fall victim to this type of trap.
The scam has been traced back to the website Viddyho.com, which has since been blacklisted by Google. TinyURL also blacklisted the site, rendering the attack inert. However, even with the blacklists, there’s nothing to stop the hackers from using another URL or setting up alternative phishing sites to try to continue to obtain login information.
The motive for the attack is unclear, but the possibilities for a user’s login credentials to be used for harmful purposes are very real, ranging from impersonation to identity theft or for sending spam. Given that Google Accounts can also be tied to valuable properties such as Google Checkout and Google Adsense, a compromised account could also lead to financial damage.
Google encourages all users who were affected to change their passwords immediately. Graham Cluley, senior technology consultant at Sophos, says 41% of people use the same password for every website they access. If you’re one of these people, it would also be a wise idea to change your passwords on these other sites as well.