I recently received a suspicious Gmail chat message from a friend (shown below). I was immediately suspicious about the message because this friend has never used chat to talk with me previously, and also he appeared to be offline and the content of the message was similar to messages that other instant messaging worms use.
I expected that when I clicked on the link I would be asked to download an executable thinly disguised as a photo (for example, coolpic.jpg.exe) like W32.Scrimge.E or that some drive-by exploits would be used on the page such as the ones Koobface uses. Instead I was brought to the following page that asked me to log in to my choice of MSN, Yahoo, Gtalk, or AIM accounts to view the “private album.”
It looked very much like a phishing page that is designed to steal your login credentials. I decided to check out the EULA before testing out how the site works. In fact, the owners of the site are very aware of what a phishing site is and they even mention the term “phishing” in their EULA. I have included the full EULA below in two parts:
There are some very interesting terms and conditions included for using this “service.” By logging in to the site you are agreeing to these terms and conditions. Specifically you allow this site to send promotional instant messages from your account (using your login credentials) to your friends:
“We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.”
The EULA also states “This is not a “phishing” site that attempts to “trick” you into revealing personal information.” However, the instant message I received is very clearly trying to trick users into logging into this site using the pretext of having photos that my friend appears to be telling me something like “damn, I’m sure you didn’t upload these pics!” (The EULA does not mention that the messages will also be misleading in nature.)
The rest of the EULA is shown below—the domain name used for the site is registered to an address in China but the agreement notes that all disputes shall be governed by the laws of the Republic of Panama. The domain name was registered on January 1, 2010, I received the instant message yesterday, and today the site appears to be down.
SPAM is defined as unsolicited bulk email, and spam that uses instant messenger instead of email is known as “SPIM.” Although my friend unwittingly agreed to the conditions of the EULA for this site, I did not. Yet I am receiving the unsolicited instant messages, and they are being sent from the company that runs the website, not from my friend (although they are being sent via my friend). Therefore, if these messages are being sent in bulk they would also qualify as SPIM. Please be careful when you receive these types of messages and remember to read the EULA. Although in some cases the EULA can be truly difficult to read, in this case it is obvious to see that this is not something you would like to agree to. If your friends are receiving messages like this from you, you should change your password to stop this company from accessing your account.