Gmail's one-two punch: Phishers attack after outage

Phishing scam uses Google Talk chat service to go after usernames, passwords

Gmail users were hit with a double whammy Tuesday.

Only hours after Google fixed a two-and-a-half hour Gmail outage, users of the hosted e-mail service's instant messaging tool were slammed with a phishing attack. Graham Cluley, a senior technology consultant with the UK-based security firm Sophos, wrote in a blog post Wednesday that the attack spread through the Gmail's Google Talk chat system.

The attackers sent Gmail users an instant message with no more of a lure than the message "check out this video" and a link from the TinyURL service, according to Cluley. The link, which is no longer working, took users to a website called ViddyHo that asked surfers to enter their Gmail usernames and passwords.

Cluley noted that TinyURL has blacklisted the phishers' site so that its no longer operational.

"The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet," wrote Cluley. "Potentially, a hacker who has grabbed your Gmail password could have accessed your entire address book and scooped up all of your correspondence, including information that you may have archived about other online accounts."

A Google spokesman noted in an email that the company has received "a number of reports" about the phishing attack from users. "We have blocked the addresses being used to send these messages, and users of Firefox, Safari, and Google Chrome will receive a phishing warning when trying to visit the ViddyHo.com site. We have also identified Viddyho.com in our search results as a phishing site," he said. "We encourage users to be very careful when asked to share their personal information."

The security consultant noted that people are often more susceptible to phishing or malware attacks that are spread via instant message than those that spread through email. People simply are more accustomed to being wary of email, leaving themselves vulnerable to other forms of attacks.

"If you were unfortunate enough to fall for this scam, make sure to change your Gmail password immediately. In fact, also change your passwords on any other site where you might be using the same password as on Gmail," said Cluley.

Join the newsletter!

Error: Please check your email address.

Tags Gmailphising

More about GoogleMicrosoftSophosVIA

Show Comments