I have no idea how the recent Hotmail/Gmail account compromises actually took place. What follows is a simple hypothesis based on a somewhat embarrassing anecdote.
Like many of you, I am currently waiting for an invite to Google Wave. Imagine my joy when this came across my inbox one Tuesday morning:
Subject: Google Wave invite
Congratulations! You’ve been invited to Google Wave by your friend {a close friend of mine with a Wave account}. Click the link below to register:
Still half asleep (and now bursting with joy!) I open the link, suddenly thinking it’s strange that Google would use a url-shortener to send me a Wave invite. As you may have guessed, what was waiting for me was not a desirable HTML5 product but was in fact a YouTube video of Rick Astley performing Never Gonna Give you Up — yeah, I got rick-rolled a year after rick-rolling people was cool.
Now I’m fortunate that my dear friend (it was davefp) has a sense of humour – the truth is I technically just fell for a phishing scam, and I’m lucky there was no malicious intent involved. This got Dave and I talking; phony Wave invites would be a very opportunistic way to steal account credentials from eager Gmail users, and could be what caused the recent account compromises.
Let’s look at the reasons why I was inclined to trust the link in the email I received:
- I was expecting an invite
- It looked like an invite
- I was half asleep
- I was overjoyed
I was expecting an invite. There are thousands upon thousands of Gmail users anxiously awaiting Wave invites. There are thousands upon thousands more that have no reason to expect an invite but would still take one if one were offered to them. This is an exciting product, after all.
It looked like an invite. Sure the shortened url was one possible give-away, but even that could have been improved by masking the url with text that looked like a safe url, such as http://wave.google.com/mygmailaccount. Add a couple of Google images and maybe a formal signature and this could have been a lot closer to foolproof.
I was half asleep. Admit it, you’re not always paying attention when you check your mail either. We check our email late at night, early in the morning, on our mobile phones, while we’re eating or playing with a pet; there are all kinds of distractions that may contribute to not paying full attention to routine tasks like checking email.
I was overjoyed. Don’t discount this one — human emotion is what sells a social engineering attack such as phishing. I had a rush of feelings and thoughts flying through my head as I clicked a link I barely looked at: who do I know that already has wave? I hope it’s awesome! who will I invite? I should thank Dave for inviting me! where’s the link for that two-minute introduction video I saw the other day?
Of course it could just be a coincidence that Wave launched a few days before a high-profile phishing scam, and it could be that I’m the only one stupid enough to fall for a prank like this, but at the very least I think it’s conceivable that a phishing attack based on Google Wave invites could have snagged 30 000 users or so from a group of major email providers.
Am I out of my mind? Have you heard a better explanation? Share some thoughts and leave a comment.