Not a chain letter, but I don’t intend to confine this blog to classic chain mail: the hoax, spoof and scam landscape is a lot more complicated these days, and various kinds of nuisance and threat are more closely interwoven than you might think.
This one comes by way of Graham Cluley of Sophos (one of the few companies to maintain a hoax database, by the way – see http://www.sophos.com/security/hoaxes/ – though they focus mostly on virus hoaxes, which aren’t as common now as in the 1990s).
It describes email that claims to have been sent by the “Gmail Security Team” (yeah, right…) requiring the recipient to “verify” his account details. Of course, the email links to what looks like (but isn’t) the Gmail login page, and the site in question includes lots of other phishing pages pretending to belong to other legitimate concerns. And as Graham has just pointed out, I forgot to include a link to his full blog at http://www.sophos.com/blogs/gc/g/2010/05/02/day-gmail-phishing/: sorry, Graham!
You may wonder why your Gmail credentials are as interesting as your banking credentials, for instance. For a number of reasons.
Many people use the same passwords in many different contexts, so knowing these credentials may give them the keys to other kingdoms.
Having control of an email account can give them the means to impersonate the legitimate owner in order to gain other credentials or information.
It also allows them to use impersonation for more direct fraudulent purposes such as the London scam: (https://chainmailcheck.wordpress.com/2010/04/17/londoning-and-seo-is-that-why-mums-go-to-iceland/; http://www.eset.com/blog/2010/04/17/seo-poisoning-londoning-and-icelanding)
In fact, the ways in which Gmail and other Google services can be exploited have been pretty big news in the past few weeks. See some of my recent ESET blogs for examples:
David Harley FBCS CITP CISSP
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Also blogging at: