New spam campaign mimics OpenID, steals credentials

May 04, 12 New spam campaign mimics OpenID, steals credentials

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

Spammers and Phishers are constantly looking for ways to convince people to type in their passwords and press “Log In”.  One of the newest strategies we’ve seen them use are specially crafted login pages that appear similar to those of websites that use the increasingly popular OpenID standard.  An alarming number of spammers are tailoring their phishing messages to use this new template.

OpenID is way for websites to avoid having to create their own user accounts.  Instead, they use authentication services offered by better known OpenID ‘providers’.  You’ve very likely seen websites offering to allow you to log in using your Facebook or Google or Yahoo account. The website passes control to a selected provider such as Yahoo.  You enter your credentials on a secure page hosted by Yahoo. The website then receives a message back indicating that you supplied valid login credentials.  That is OpenID in action.


Sample OpenID signin

Sample OpenID sign in dialog

Note that the dialog expressly informs you that you will be visiting Yahoo to log in.  This is an important point to keep in mind.


What we are seeing at Barracuda Labs are messages that direct you to web pages that appear similar to OpenID portal pages. Take this spam email as an example.  What could be the harm in some Real Estate listings?


A real estate company logo is used, the text is vague and the link leads to the compromised website of a yacht service company in Australia. That site serves up this fake login page. While this page does not mention OpenID itself, the increasing acceptance of OpenID makes this page appear much less threatening and more ‘normal’.

Fake login page

(click for full size image)

We selected Yahoo and were immediately prompted for our Yahoo credentials via a bit of Javascript on the page.  As mentioned above, this is not how OpenID authentication works.  With genuine OpenID authentication we would be directed to a secure Yahoo web page which would ask for credentials.

Instead, our credentials are unceremoniously sent back to the compromised server in plain text, as shown by this captured TCP stream.

Packet capture

(click for larger image)

Eventually these credentials make their way back to the Phisher.  In the meantime, the browser continues on to the real homepage of a real estate company.

Another example presents itself as a UPS notification email which leads to a fake UPS login page.


There are excellent reasons to use OpenID.   Website administrators don’t have to store and care for a password for your account, and you can reduce the number of of user accounts and passwords that you manage.

The flip side is that if you are going to choose to use an OpenID provider, such as your favorite email account, you need to be very observant and make certain that your credentials are being requested using a secure connection to the provider’s servers.



Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.