Tuesday, November 11, 2008

Is Heysan.com a clickjacking attack, virus dropper or something else?

For those of you who have been regularly using GMail, the recent arrival of unexplained chats from your friends might have piqued your curiosity. A chat lands up in your GMail Inbox claiming to have been sent to you by one of your friends bearing some sort of cheesy one liners and that you should click on the link to view them. Something like this:

Though usually I'm highly suspicious of these sorts of clicks, I went ahead and clicked it. (After all, Firefox, my favourite web browser has quite a decent track record as far as security is concerned).The site that opened up looked like:
Now, I'm not going to be giving up my Google Account password to any site that just asks for it. No Way! Not a Chance! Not even if it boasts of the Google Talk logo. But then, there are all kinds of people in the world and some are likely to enter their Google ids and passwords due to ignorance. In my opinion, this site is a fraud that is directly and obviously obtaining access to userids and passwords of GMail accounts and using them to perpetuate a mass mailing campaign from within the comfortable confines of your GMail inbox. The fact that there exists a hidden link to admob.com (a highly SEOed advert site - see image) by means of a 1px x 1px image, bolsters my gut feeling about this site. Beware all of you who get a link to heysan.com - I think that its just the tip of a very large iceberg. Recent reports of a click based vulnerability in all browsers is a further cause for tension. Be on your toes everyone! More information on clickjacking is available here.

The hidden links on the GTalk page is:
And the heysan.com home page looks like this:
All links on this page lead to login areas of different popular e-mail and IM sites. So beware the casual web surfer: this does not augur well for the web. Currently, the best known safety solution is to install the NoScript addon for Firefox and use it to disable iframes.

11 comments:

  1. Anonymous11:17 PM

    any idea on how to get rid of the bug/worm and get rid of the threat??? I accidentaly gave the thing my password

    ReplyDelete
  2. I haven't been able to detect what the site actually installs. So, I don't know how to clean up the mess (if any) this site has made on your computer, but the first thing I would suggest to you is to change your Google Account password. Although your contact list is long past gone to spammers, atleast you might sleep easy with the knowledge that you still have control over your Google Account and haven't been locked out.

    ReplyDelete
  3. Heysan is not a clickjacking attack, virus dropper or any kind of fraud. Heysan is an aggregator for IM networks, just like meebo, trillian and adium. Heysan runs in your browser (optimized for your mobile browser) and lets you use your IM account on your phone. The first time you sign in to heysan, there is an option to let your friends know that you just did and also an option to skip that part. If your friend selects this option on Gtalk and you happen to be offline at the time, this will result in an email instead of an IM message, per how gtalk works. The message comes from your friend, heysan has not hijacked your gmail. Heysan does not install anything on your computer or phone, heysan does not abuse your login credientials to spam your contacts, heysan does not sell or in any way share your private information with anyone - all stated in our terms of use and privacy statements. Most importantly, heysan is a loved service and have a large, highly engaged community on top of the utility of mobile IM. Check it out, you might end up liking it.

    Marie, co-founder of heysan

    ReplyDelete
  4. Anonymous10:16 AM

    Marie/ Pardon me, but did you even read the post? I had the exact same problem this morning and it has totally ruined my day, with everyone asking me why I was sending them offline chat messages with dubious link to where it asks for your password, in order to see some pic that it claims to have been posted by me. Now, as someone who was naive enough to click on the link and 'give away' my password, I can testify that I did NOT consent to anyone or any service to dig through my contacts list and send out quite fishy messages to everyone, nor did I expect the linked website to corrupt my contacts list. For one thing, the option to "skip that part" was NOT clear at all, and despite the fact that I'd managed to close the window when I was given the option to "invite" friends instead of being shown the alleged photo that my friend had posted, it still sent out those fishy "invites" to all on my list. And I can assure you that I, as well as friends who received the chat message, was online at the time. Now I know heysan is an increasingly popular service, and is a powerful, handy tool (which is one of the reasons why I'd so readily clicked the link), but if the way it handles the new users and their contacts list is such that it's throwing people into panic/virus alert mode, then surely something's not quite right, or am I still being too naive there?

    ReplyDelete
  5. I quite agree with anonymous above. If you're planning to mass mail/mass message a contacts list, the warning should be shown in CLEAR BOLD LETTERS and the opt-out facility should be an in-your-face button, not an unobtrusive link. Using dubious techniques to popularize your site, specially via a "message to all" is construed as spam for me.

    As for the "message has come from your friend" part - it most definitely has not. Its been sent by heysan on his (unwitting) behalf.

    ReplyDelete
  6. Marie,

    YOU CANNOT RESERVE THE RIGHT TO DELETE ANYONES ACCOUNT WITHOUT GIVING THEM THE RIGHT TO DELETE THEIR OWN ACCOUNT WHICH YOU GUYS ANYWAYS CREATE WITHOUT ANY APPROVAL.

    ReplyDelete
  7. well, my friends have mentioned the problem and thanks for your information on this, but is there a way out?

    ReplyDelete
  8. I think there is certainly something fishy about this site. No sooner than I had logged in to it, Chat messages flew across to all my contacts (only those using GMail) with just a single line saying that 'I' had either uploaded their photo, or commented on their photo or invited them to heysan etc.etc. which in fact I never did. Also, almost all my contact names were gone. Something like this :


    http://www.google.com/support/forum/p/Talk/thread?tid=6bb9c8ce01cb1ea3&hl=en

    ReplyDelete
  9. @dolphin: Change your Google Account Password, put on a GTalk status message warning everyone about heysan, and do a thorough Antivirus scan of your computer. Then, install the Noscript Addon for Firefox (you don't surf the web with IE, do you? :-) ) from http://addons.mozilla.com/firefox and breathe easy. But sadly, the damage is already done if you've logged in.

    @harry: Thanks for the pointer. Marie, could you please explain all this to your (so called) users?

    ReplyDelete
  10. happyb10:16 PM

    divye/ Hey, I've been trying to follow up with your blog to see if I can get more help, and just noticed that the google search results won't bring up your page anymore. It used to be on the 1st page (which is how I managed to find it in the 1st place), and now even with same keywords (several combinations and they all used to work), I can't see it on any of the results pages. Is it just me?

    ReplyDelete
  11. It seems that either Heysan.com has out SEOed me by creating new sites that have simply buried my blog post or that google has banned me because I had a link to heysan.com. Take your pick :-)

    ReplyDelete