We are all used to the phishing emails that we get sent from “banks” and “auctions sites” – trying to steal your logins for financial gain. A new phase has started where phishing messages are sent via the private message (PM) facility at a forum.
The motive in this case is pure revenge, but with forums being used for trading, deals, and product promotion the trend is very dangerous – primarily because you believe you “know” the users, or atleast have some sort of respect and trust between you.
Lets walk through the steps.
- Dodgy guy gets mad about something
- Dodgy guy buys a domain that is very close to the forums domain and puts a copy of the forums “please login” page on the site
- Dodgy guy sends private messages to people saying “Please review the rules etc” and adds the url of the real message – however he makes the url a link to his phishing domain.
- Nice guy gets the PM and gets a message that he needs to login. Odd, he thinks, but logs in. Especially easy if it’s a kid on a shared computer and he gets the PM via email – the kid expects to have to login.
- As Nice guy logs in his details are stored and a script logs him into the real forum and transfers him to the real thread. Nice guy is none the wiser.
- Dodgy guy then uses Nice guy’s account to send a stack of private messages to other people – people who no doubt know that Nice guy is nice, and trust his message and … go to step 4.
- Wise guy gets a PM and smells a rat and lets the forum admins know what is going on.
- Admins ban Nice guy until they can verify he is who he is and to stop Dodgy guy from using the account. This wastes Admin time and is probably the ultimate goal.
- Nice guy can no longer participate in the forum. It’s not personal, he was just too nice to suspect foul play when in his forum community. After all, that’s what forum owners strive to do, to make their forums a place people feel at home. It’s a shame that even then we still need to be on our guard.
So, what have we learnt?
- check the url of the link you are about to click
- if you are unexpectedly asked to login, check you are at the site you think you are at
- contact the hosting company of the phishing site and ask them to remove it
Lets hope we don’t see too much of this!