Today evening while sigining into orkut to thank the bday wishers, I noticed that somehow the correct username / password combination was failing and noticed the URL as
http://okrutt-co-in.110mb.com/orkutt.htm
instead of something like orkut.com / co.in or google account login URL
on checking the pages via firebug the baseURI is different
ie:
original its something like:
https://www.google.com/accounts/ServiceLogin?service=orkut&hl=en-US&rm=false&
cd=IN&passive=true&skipvpage=true&sendvemail=false&continue=http%3A%2F%2F
www.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3D%252FMain%2523Home.aspx”
and the cracker has :
http://okrutt-co-in.110mb.com/orkutt.htm
its found that the above URL is POSTing the user name password combination to: a PHP file
orkut.php
which is posting the user name password after saving to db of the cracker / sending out to email address to google auth mechanism.
The most important change is in the form gaia_loginform :
<form id=”gaia_loginform” action=”orkut.php” method=”post”
onsubmit=”return(gaia_onLoginSubmit());”>
Removed.
—
If we can assist you further, please let us know.
110mb.com Support
upate:
— REPLIES VIA EMAIL WILL NOT BE RECEIVED. YOU MUST LOGIN & REPLY VIA http://www.110mb.com/support —
Ticket Details
===================
Ticket ID: PYL-752118
Department: Report TOS/Abuse Violation
Priority: High
Status: Closed
110mb.com support ticket opened:
Ticket ID: PYL-752118
Department: Report TOS/Abuse Violation
Full Name: bobinson
Email: bobinson[[@!gmail.com
Priority: High
————————
hello,
there a suspected orkut fake login page here:
http://okrutt-co-in.110mb.com/orkutt.htm
the fake script is
http://okrutt-co-in.110mb.com/orkut.php
a detailed info is here: http://www.freebird.in/wp/?p=141
Please do the needful
cheers,
bobinson
reported here at google / orkut
http://www.google.com/safebrowsing/report_phish/?tpl=mozilla&hl=en-US