Webmail has become ubiquitous - most people have at least one account and some people use several. As the folks at Google pointed out this April Fool’s Day, we’ve gotten to the point where the idea of relying on postal mail for communication is almost completely absurd. Services like Google’s Gmail, Microsoft’s Hotmail, and Yahoo! Mail all offer an incredibly large amount of storage and can be accessed from almost any internet-connected machine.
This weekend I got an email from a friend, arriving from her Hotmail address. It was actually an auto-generated invitation link to a social networking service called ‘Tagged’. Tagged is employing some very sketchy tactics in expanding their user base. While the whole idea behind Web 2.0 is the combination of existing Web services/technologies to make them more useful, when a user signs up for Tagged, they’re practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book, and prompts you to email your contacts using your Webmail address as the reply-to.
It’s difficult to recall all of the mass-mailing worms we’ve seen that have used similar strategies for propagation. Melissa and Lovebug would be good examples.
Fortunately, Tagged isn’t actually sending the emails as the user whose login credentials they’ve borrowed, the email is just coming from Tagged’s server so it’s not difficult to blacklist. But Tagged’s signup process is sparse on the details about why they ask for the information they want, and what they’re going to do with it. Clearly they’ve snagged all the email addresses in your address book, which would be useful for sending future advertising-based spam, but they’ve also taken your Webmail login credentials and not really told you what they intend to do with it.
It’s interesting in that they’ve circumvented the need to mock-up your Webmail site, but still had the effect of a phishing attack. With the search capabilities of most modern Webmail services, and the amount of people doing online banking, it doesn’t take a lot of imagination to see where this kind of site could head. Though we’ve all heard it before, the best way to avoid these situations is to avoid giving your credentials to third-party sites. Just like you wouldn’t give your banking info to your mailman, you shouldn’t give your banker a copy of your mailbox key.