When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine @ John Berns

When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine

Posted on October 16th, 2008 John Berns 5 comments

I just got taken for a ride and I am pissed.

I got an invite from an Indian friend that I respect, inviting me to join Yaari.com, what purports itself to be an Indian social networking site. He’s a very savvy guy and generally on the forefront of what’s hot and cool in Indian tech. So I thought “hey–must be something here, I should check it out.” After all, India tech is hot and I like to stay on top of what’s happening.

So I signed up. They asked if I wanted to check my GMail contact list for friends on Yaari.com. I thought: I have a lot of friends in India, most are serious web geeks, let’s see who’s here.

When I went to add my GMail password I paused for a moment. The conversation inside my head went something like this: “Give my email password to a site that I never heard of… that’s a bad idea! But then again I have checked my Gmail contacts against other sites buddy lists before and I never had a problem. Well, it was X that invited me and I trust him… so, I guess I will trust this site.”

And that usually works.

Usually.

But as it turns out, Yaari.com appears to be a site that is crafted to do nothing more than dupe unsuspecting people into giving up their friends email addresses; a social virus posing as a social network to harvest emails for spammers.

So, usually you can trust invites from your friends, but what happens if your friend was duped into trusting an untrustworthy site and you, in turn, trust what you think is his recommendation? Well…. it’s not really his recommendation and that’s not trustworthy, is it? The chain of trust was compromised somewhere along the line.

So, what happened was, that my entire Gmail contact list was spammed with invitations to join Yaari.com WITHOUT MY CONSENT. My trust had been compromised and they took advantage of that and then used my reputation to spam my friends.

And my friends signed up.

And the cycle repeated.

After this whole mess, I had a friend point out that if you Google Yaari you see that they are a scam. A bit late, I am sad to say.

I feel terrible that I fell for this. I feel worse that my trust was used to compromise other people.

Sadly, it seems to be a new enough scam that it works and works well. This is likely to be a new frontier for scammers. Expect to see more exploits like this springing up.

They could have done worse: they could have hijacked my Gmail account. That could have been a disaster. I guess I should consider myself (relatively) lucky that the worst that seems to have happened is that I suffered embarrassment and put my friends through some inconvenience. Not to say that’s a trivial matter, but I think how much I depend on my Gmail account and I shudder to think what could have happened.

But for all of you that read this the lesson to be learned is this: it’s not enough to trust the person that you get an invite from on a social network, you MUST VERIFY YOU CAN TRUST THE NETWORK IT WAS SENT OVER.

I should have seen that. My hesitation is clicking the button was the little voice inside my head telling me what I already knew. My scam sensor went off and I chose to ignore it.

There is a first time for everything…

Some Tips for Secure Social Netwoking
- Be more aware of the dynamics of trust on the Internet. You must think of trust not as a person or a name, but as a chain of events and each link in the chain must be trustworthy
- Never give out your passwords to any site–trusted or not. Yeah, we already know it–but social networks have conditioned us to behave otherwise.
- Google and email providers need to make a great effort to educate users not to give up their password for any reason and provide alternate ticket-based access to contacts that can be authorized–much like Yahoo is doing.
- Browsers should be flagging sites like Yaari.com as phishing scams. They are potentially as dangerous as banking scams; access to email passwords can divulge tremendous amounts of user data and can give scammers the ability to reset passwords–which is even better then the password itself
Social Media / Computing / Networking, Tecnology & Society reputation, scam, spam, trust, virus, yaari, yaari.com
4 responses to “When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine”
- 31415 October 16th, 2008 at 13:10
  
  You gave the credentials for an account you rely on to a site you’d never heard of and hadn’t bothered to Google and something bad happened. Who could have predicted that?
  
  I personally think it’s time for Google, Yahoo! and other e-mail providers to detect and block these sorts of sites (including Facebook and friends) and maybe provide a real API to access contacts, etc.
- Sajal Kayan October 16th, 2008 at 14:12
  
  Being Indian I had heard the name yaari many times, but had been too lazy to check it out since facebook + titter is more than enough for my social needs :p
  
  When i got your invite i thought maybe for some specific reason you had invited me there or something…. glad my laziness prevailed and i didnt check it out..
  
  BTW from their terms and conditions ( http://www.yaari.com/?controller=termsofservice&action=index ) :-
  
  Yaari has established a Privacy Policy to explain to Members how their information is collected and used, which Member can read by clicking http://www.yaari.com/policy.php.
  
  … policy.php is a 404 … in short they havent made one yet or have it removed….
  
  Continuing on in section D :-
  By registering for the Yaari website, and by giving Yaari member’s email address and password, a member agrees to the Terms of Service and consents to allow Yaari to automatically send an email from the member to member’s contacts, encouraging member’s contacts to register for the Yaari website. Invitation emails will be sent on member’s behalf, with the ‘from’ address set as member’s email address. Yaari will never store member’s email password.
  
  ..so what they did was legal, with your consent.. in the same time sneaky and evil
- John Berns October 16th, 2008 at 15:23
  
  Legal? Perhaps.
  
  Follows standard acceptable practices? No.
  
  Ethical? Certainly not.
  
  But it does point out the huge potential for abuse .
  
  We have been conditioned by dozens of perfectly legitimate and ethical websites that we can trust that they will not abuse the trust we give them.
  
  But this conditioning we have developed can easily be exploited by sites that are unethical or even illegal.
  
  If all Yaari does is spam my friends–that’s an annoyance.
  
  But what if somebody with ill intent used the same technique to gather 250,000 passwords and methodically started to scan the emails accounts for passwords to bank accounts, domain registrars, SVN repositories, social networks?
  
  What if, overnight, 500,000 Gmail, Hotmail and Yahoo Mail passwords were reset and the rightful owners were locked out? How would the rightful owners be able to reclaim their accounts and the data in them?
  
  How big of a catastrophe could that potentially be?
- Kirk March 31st, 2009 at 12:48
  
  I’ve only ever entered in a username/password for one of my email accounts for one website, and even that one (meebo.com), I waited close to a year after first seeing it before “taking the plunge” (it had gotten a lot of favorable press reviews, and was clearly a legit company). And even then, I only used my hotmail account, which doesn’t have anything important in it (aside from a bunch of junk mail).
  
  I’m more cautious with most people about these things (I’m a software developer), and I haven’t gotten any virus or malware on any of my last 3 laptops – my laptop is my livelihood, so I’m loathe to ever take a risk with anything dodgy on it, and I extend that conservative approach to websites asking for my passwords.
  
  I can definitely see how a lot of people would fall for the social-engineered ‘exploit’ that you fell for. My mother once gave her password to an “AOL Technician” in chat so he could “fix” her email account, which she’ll never do again, lol. Eventually, either people need to start treating their passwords as they would a credit-card, or more integrated authentication, and varied authorization systems will have to be seamlessly created.
  
  I like the “OpenID” framework, where if I want some 3rd-party website to publish information or access content on my blogger-hosted blog, I just give the URL, and then I go to my site, where I’m told the name of the requesting app, and what it wants. I can then say “yea or nay”, and never give out my gmail password.
  
  You got lucky, really, that it was a quasi-legit site. You might have been as easily duped into handing your password to those who would (as you said), taken over your account completely. Ouch!
  
  Kirk
1 Trackbacks / Pingbacks
- Update on the Yaari.com Scam « The best way to have a good idea… April 23rd, 2009 at 11:58
  
  [...] the last. You can find evidence that the blogosphere is getting increasingly fed up with Yaari here, here, here, here, here, here, here, here, here, and here. One of the most prominent bloggers to [...]
Leave a reply

Click here to cancel reply.

Name

Mail (will not be published)

Website

S	M	T	W	T	F	S
« Sep				Jun »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Barcamp Bangkok 3 - May 23-24, 2009

When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine

Some Tips for Secure Social Netwoking

4 responses to “When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine”

1 Trackbacks / Pingbacks

Leave a reply

Calendar

Archives

Recent Articles

Links

Categories

Meta