Orkut users have lately been targeted with a clever scheme that redirects them to phishing pages without them having to do anything except visit a compromised account.
Using malicious applications that were made available in the Apps Directory, the phishers let the users do the dirty work themselves. Attracted by possibilities such as being able to watch TV channels online, users would add the application to their profiles and, from then on, every person that would visit their profile would get automatically redirected to a phishing page.
According to a Kaspersky Lab expert, this was possible because the source code of the applications in question contained instructions to run external code that is not hosted on Orkut servers.
Once a user falls for the phishing scheme and gives up its username and password, his account gets hijacked and messages asking other users to visit the profile or install one of the malicious applications would be sent out.
An attack very similar to this one was also used to blackmail affected users into paying some $12 in order to get their profiles back.
Google has been notified, and the malicious applications have been removed. Kaspersky’s expert says that over 50 phishing domains were used in this attack, but that they have all been blocked. Supposedly, some 150,000 user profiles have been hijacked.