You may have noticed that most browser’s URL bars these days do not need you to type out the “http://“or the “.com” in order to be able to send you on your way to the “.com” page which you desire to visit. What we used to have to type out as “http://woot.com” is now just “woot“, and Firefox excels at picking up my slack and decoding my internet shorthand. When rushing to check our statistics, like children rushing to open presents on Christmas day, we often accidentally mis-type the URL address for Google Analytics as “analytics” or “analytics.com” instead of “analytics.google.com” or “google.com/analytics“. Since my partner and I are avid Google Analytics users, my memory seems to suggest that I am used to being greeted with the standard parked domain page when my indolent digits strike the wrong keys. Today, however, I did not see the cliche landing page of a domain squatting profiteer. Instead, I was prompted to enter my username and password by an unfamiliar non threatening login prompt linked to idisk.mac.com and a blank white page.
This was immediately very disconcerting to me because of the many ways in which someone could use a login modal box like the one shown on the analytics.com website and easily gather Google accounts from the hasty users who accidentally stumble upon the site with the intentions of logging in to their Google Analytics accounts. After logging into so many websites each day it’s not that hard to imagine a reflex to start inputting login information when prompted. In theory you would not even need to submit the form for your keyboard input to be logged to a database with some simple ajax coding.
Is the owner of the website doing anything malicious? I have no idea, but I did send him an email to notify him of this post, and I also encouraged him to let me know what was going on with the site. In the meantime, Google Analytics users should take caution – a few key swipes in the wrong box and it could be a pretty big headache to deal with any of the following accounts being compromised: analtyics, gmail, adsense, adwords, picasa, youtube, google checkout, or any of the other google services that usually get linked together with the same account. The funny thing is I don’t think anyone would be able to stop a phishing attempt structured like this since I believe the burden of proof would fall on the accuser not to mention they really aren’t blatantly deceiving anyone.
either it’s a diabolical plan or its a simple mistake by a non savvy webmaster.
i can’t even imagine dealing with all my google accounts being hacked…imagine what damage could be done with adwords alone…
Vote #2 for Diabolical Plan… can we move to strike on this issue.