Tuesday, November 11, 2008

Is Heysan.com a clickjacking attack, virus dropper or something else?

For those of you who have been regularly using GMail, the recent arrival of unexplained chats from your friends might have piqued your curiosity. A chat lands up in your GMail Inbox claiming to have been sent to you by one of your friends bearing some sort of cheesy one liners and that you should click on the link to view them. Something like this:

Though usually I'm highly suspicious of these sorts of clicks, I went ahead and clicked it. (After all, Firefox, my favourite web browser has quite a decent track record as far as security is concerned).The site that opened up looked like:
Now, I'm not going to be giving up my Google Account password to any site that just asks for it. No Way! Not a Chance! Not even if it boasts of the Google Talk logo. But then, there are all kinds of people in the world and some are likely to enter their Google ids and passwords due to ignorance. In my opinion, this site is a fraud that is directly and obviously obtaining access to userids and passwords of GMail accounts and using them to perpetuate a mass mailing campaign from within the comfortable confines of your GMail inbox. The fact that there exists a hidden link to admob.com (a highly SEOed advert site - see image) by means of a 1px x 1px image, bolsters my gut feeling about this site. Beware all of you who get a link to heysan.com - I think that its just the tip of a very large iceberg. Recent reports of a click based vulnerability in all browsers is a further cause for tension. Be on your toes everyone! More information on clickjacking is available here.

The hidden links on the GTalk page is:
And the heysan.com home page looks like this:
All links on this page lead to login areas of different popular e-mail and IM sites. So beware the casual web surfer: this does not augur well for the web. Currently, the best known safety solution is to install the NoScript addon for Firefox and use it to disable iframes.