Gmail/Yahoo/Hotmail Accounts Compromised
I've been receiving lots of emails pointing to recent media articles, such as this one, about how Gmail, Yahoo and Hotmail user accounts have been hacked. Firstly, no they haven't. All these articles say hacked to sound cool and attract readers. The accounts have been compromised by 'phishing schemes' and 'social engineering'. That's totally different from saying Gmail has been hacked.
Phishing and social engineering is basically when you trick someone into giving you their account details. One way of doing this would be to say create a fake gmail login page and somehow hijack a user's DNS records to point them to your fake page whenever they go to gmail.com. Once on your fake page, they enter their username and password thinking it's the real thing and click Login. The passwords get sent and stored on your server, and you simply redirect them to the real gmail page.
A much, much simpler phishing scam however is to just count on user ignorance. Simply create some sort of social networking site and provide a 'service' where a user can enter his gmail username and password, and you invite all their friends to join. This technique is popular in sites such as Facebook, Dropbox and Twitter (I've blogged about this before). The problem is, a non tech-savy user may think that if it's safe to give their login to Facebook (and it isn't), then it's probably safe to give it to other similar websites as well.
Heck, I'm sure I could throw together an MMO gaming webpage, something with a very simple flash turn-based game for example, and provide a 'service' for people to invite their Gmail/Yahoo/Hotmail friends directly though my interface. I bet I could get the accounts of a large percentage of visitors, especially if that was my primary intention (create a game or social site that targets non-techy people and the masses will follow).