Australia's Leading Computer Emergency Response Team

Signing up to sign out
Date: 02 May 2008
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=9221


How often do you read the Terms and Conditions of a website before giving them any information?

Here is an extract from a website we saw this week. 

   We may temporarily access your MSN account to do a combination of the following:

      1.  Send Instant Messages to your friends promoting this site. 
      2.  Introduce new entertaining sites to your friends via Instant Messages.

I felt personally that this site was "phishing" (for lack of a better term) .Net (MSN) credentials.

Phishing defined on Wikipedia as "phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication". http://en.wikipedia.org/wiki/Phishing

The site may not have been used for anything illegal, as far as we can tell so far. So is it still phishing?

Well, I have no legal background, nor law enforcement, so I do not know. I still think it is morally wrong in the way they trick the user into providing credentials. By providing your details, your MSN account is then used to spam people on your friends list with a link for them to follow to then provide their details. The cycle then continues. After providing the details you are supposed to be given some kind of content.

The only thing they provided that I saw was the constant signing out of MSN of the user who provided the credentials. So, this means that while they are using your account to spam your friends with links, you cannot be signed into MSN Messenger.

Furthermore, any user providing details to the site in question is in breach of the T&Cs of MSN.

   "Do not provide your Service account and password to third parties. You
    may not authorize any third party to access and/or use the Service on your 
    behalf. You may also not use any automated process or service to access 
    and/or use the Service such as a BOT, a spider or periodic caching of 
    information stored by Microsoft." 

    http://messenger.msn.com/help/terms.aspx

The MSN agreement does give a list of authorised third parties which can be found here: http://messenger.msn.com/Help/Authorized.aspx

And the site in question isn't on that list.


Regards,

Zane