When Social Networks Violate Trust: Yaari.com = Social Network Virus + Spam Engine

I just got taken for a ride and I am pissed.

I got an invite from an Indian friend that I respect, inviting me to join Yaari.com, what purports itself to be an Indian social networking site. He’s a very savvy guy and generally on the forefront of what’s hot and cool in Indian tech. So I thought “hey–must be something here, I should check it out.” After all, India tech is hot and I like to stay on top of what’s happening.

So I signed up. They asked if I wanted to check my GMail contact list for friends on Yaari.com. I thought: I have a lot of friends in India, most are serious web geeks, let’s see who’s here.

When I went to add my GMail password I paused for a moment. The conversation inside my head went something like this: “Give my email password to a site that I never heard of… that’s a bad idea! But then again I have checked my Gmail contacts against other sites buddy lists before and I never had a problem. Well, it was X that invited me and I trust him… so, I guess I will trust this site.”

And that usually works.

Usually.

But as it turns out, Yaari.com appears to be a site that is crafted to do nothing more than dupe unsuspecting people into giving up their friends email addresses; a social virus posing as a social network to harvest emails for spammers.

So, usually you can trust invites from your friends, but what happens if your friend was duped into trusting an untrustworthy site and you, in turn, trust what you think is his recommendation? Well…. it’s not really his recommendation and that’s not trustworthy, is it? The chain of trust was compromised somewhere along the line.

So, what happened was, that my entire Gmail contact list was spammed with invitations to join Yaari.com WITHOUT MY CONSENT. My trust had been compromised and they took advantage of that and then used my reputation to spam my friends.

And my friends signed up.

And the cycle repeated.

After this whole mess, I had a friend point out that if you Google Yaari you see that they are a scam. A bit late, I am sad to say.

I feel terrible that I fell for this. I feel worse that my trust was used to compromise other people.

Sadly, it seems to be a new enough scam that it works and works well. This is likely to be a new frontier for scammers. Expect to see more exploits like this springing up.

They could have done worse: they could have hijacked my Gmail account. That could have been a disaster. I guess I should consider myself (relatively) lucky that the worst that seems to have happened is that I suffered embarrassment and put my friends through some inconvenience. Not to say that’s a trivial matter, but I think how much I depend on my Gmail account and I shudder to think what could have happened.

But for all of you that read this the lesson to be learned is this: it’s not enough to trust the person that you get an invite from on a social network, you MUST VERIFY YOU CAN TRUST THE NETWORK IT WAS SENT OVER.

I should have seen that. My hesitation is clicking the button was the little voice inside my head telling me what I already knew. My scam sensor went off and I chose to ignore it.

There is a first time for everything…

Some Tips for Secure Social Netwoking

• Be more aware of the dynamics of trust on the Internet. You must think of trust not as a person or a name, but as a chain of events and each link in the chain must be trustworthy
• Never give out your passwords to any site–trusted or not. Yeah, we already know it–but social networks have conditioned us to behave otherwise.
• Google and email providers need to make a great effort to educate users not to give up their password for any reason and provide alternate ticket-based access to contacts that can be authorized–much like Yahoo is doing.
• Browsers should be flagging sites like Yaari.com as phishing scams. They are potentially as dangerous as banking scams; access to email passwords can divulge tremendous amounts of user data and can give scammers the ability to reset passwords–which is even better then the password itself