i received the link from someone on my orkut friends list, and it was a url that had an id at the end which identified my username, so i'm assuming it could figure out my username from the link.
based on the information i have, here's how it works:
- users are presented with a screen identical to orkut's login screen
- on signing in, the site opens its own connection to orkut.com
- it scrapes orkut for all available information (don't have any details on that) about the compromised user and his/her friends
- it then sends out a unique message to all of the user's friends, asking them to view the site. it gives a unique url, so it knows which user clicked the link, and even displays the username in the login box, the way google does
- if anyone is fooled by this and logs in, the process continues from step 2
reasons why you should be concerned:
- your google account isn't used ony for orkut, but also for a lot of other things like gMail, gTalk, blogger, personalised search (freaky!!!), gReader...the list goes on!!!
- many orkut users put up private information such as their date of birth, address, telephone numbers, etc on their orkut profiles and make the information visible to only their friends, assuming that friends can be trusted not to misuse the information. that assumption is not valid anymore, now that this phishing site can also act on behalf of your friends (i'm a victim of this assumption too...and i still don't know how much info has been leaked. it's very scary)
- the worst part is that one person's ignorance can lead to leaking private information of all his/her friends, without their control at all, and they have no easy means of preventing it, short of deleting that information from the site
- you probably don't have your credit card number posted on your orkut profile, but you've probably received some mail or the other from your bank/credit card company. if you use gMail, and archive all your mail (just like i do)...well...you can do the math :)
steps to prevent this:
- always look at the address in the address bar before signing in. phishing attempts usually use similar URLs, so you may need to look carefully.
- never enter your login info on any third party site, no mater what that site claims to do for you. i have endless friends who have done such things, usually for the sake of automatically inviting all their friends to some new social networking site. what they don't realise is that the addresses and all other details of all their friends (including the ones who didn't join up) are stored in a database somewhere, awaiting further abuse
- for the above mentioned suspicious links, (atleast the ones containing a ?), try opening the link in a new browser window, and delete everything starting from the ? to then end of the link. that ensures that the new site cannot identify who you are or where you came from.
- read http://hoaxbusters.ciac.org for more anti phishing, anti spamming and hoax spotting techniques
- last of all, but definitely most important, when in doubt, DON'T CLICK!!!!