There is an automatic assumption that when you see a link with the google.com domain in the address that you are dealing with a safe and secure site but according to a report from security researchers at F-Secure you might want to reconsider that preception.

They have found that nestled quite comfortably at Google Docs a number of phishing sites that are extremely well done to the point that they are still unsure about one of the sites that they have found.

The problem with this is that by inserting themselves on Google Docs these phishing sites are able to by-pass your browsers normal ability to detect, and protect you, from these nasties. This is because the Google domains provide a valid SSL (secure sockets layer) certificate which the browser uses to be able to tell, and notify us, that you are on a secure site.

While researching the many examples of Docs-hosted phishing sites, the F-Secure researchers came across this form (see below), which asks for your Google Voice number, email address and the secret PIN code on your account. It appears to be a phishing site, but oddly, at least one Google employee was found to have linked to the form on online Help forums.

This stumped the researchers, who then turned to Twitter to ask their followers what they thought.Tweets Mikko H. Hypponen, F-Secure’s CRO:

“The consensus on Twitter seems to be that the weird page on google.com is a phishing site. The jury’s still out though.”

Writes one commenter on the original blog post: “I must say kudos to Google for anonymizing so well the form, there’s no way to tell who made it.” Uh-oh, Google.

via ReadWriteWeb

Uh-oh is right.

Phishing sites found to be hanging out on Google Docs is a post from: The Inquisitr

I just got the following email in my inbox and as you can see it looks pretty legit

The only problem is that when you click the link you end up being sent to a non-Twitter page at

h ttp://forum.tabrizchat.eclick.ir/lumps.html

Now normally I wouldn’t even give this a second thought as the address it was sent to wasn’t one that I had listed with Twitter but I had just blocked and reported some-one on Twitter so for some reason (I’m blaming lack of coffee) I decided to click the link.

DUMB.

When I saw the actual address show up in Chrome’s address bar I immediately closed the window so I don’t know exactly what is on the other end of the link but it probably isn’t good.

If this has already been passed around my apologies but like I said – better safe than sorry.

WARNING: A new Twitter phishing attack is a post from: The Inquisitr

Yesterday, when it was revealed that tens of thousands of Hotmail addresses and passwords were posted on a code-sharing site, everyone had a bit of a go at the remaining Hotmail users who haven’t abandoned the service for a cooler GMail account.

But a second posting followed, with a list of Hotmail, Yahoo, AOL, Gmail, Comcast and Earthlink addresses. Collected as part of a phishing scam, the BBC reports that while some of the addresses are old, expired or invalid, several are confirmed as genuine. The lists are still accessible.

The BBC also reports that an estimated 40% of internet users have a life password, an inadvisable practice that simplifies logging in but leaves accounts much more open to hacking. Carol Theriault, of security firm Saphos, indicated that scams such as the one used to gather the e-mail addresses are growing increasingly slick and more difficult to detect:

“Phishing attacks are very subtle these days,” she said. “People do all kinds of tricky things.”

Fake websites, which ask for a users login details, can be made to look like those of reputable companies.

“This should be a wake-up call to Google and Microsoft to educate their users,” said Ms Theriault.

Not so fast with the Hotmail jokes- additional 20K addresses compromised on GMail, AOL, Earthlink is a post from: The Inquisitr

The web-based mail service will now authenticate any e-mails coming from paypal.com or ebay.com. The move is an effort to combat the large number of spoofed messages that appear to originate from those domains. Now, any e-mails claiming to come from Paypal or eBay that don’t check out won’t even make it into your inbox.

The authentication process will use DomainKeys and DKIM technology to confirm legit messages. Google says it’s been testing the process for a few weeks already.

Gmail Amps Up Phishing Protection is a post from: The Inquisitr