Fake GoogleTalk Application In The Wild

| | Comments (1)

We're still trying to pin down exactly how new this is, but it seems someone has released a fake Google Talk application into the wild.

Compare the fake application on the left with the real thing on the right, and note the differences:


Immediately, we can see that the real thing has a rounded curve at the top - the fake is blocky, and looks like a regular Windows application box. There's an "Inbox" link at the top when you start up the fake application - there isn't a link like that when firing up Google Talk for the first time. The Username / Password box is much lower down on the fake application, and (again) the real "Sign In" button is curved on the real application. Finally, you'll see "Forgot your account / Don't have an account" on the genuine Google Talk program - not so on the fake.

How does this work?

Well, the program doesn't connect to the Internet - for this attack to be successful, the hacker needs physical access to a PC that lots of people use. Could be a workplace PC, could be in a school, library, Net Cafe - anywhere where it's possible to run an executable file then retreat to a safe distance while the potential victim sits down and thinks "Just need to check something on IM..."

Assuming the victim enters their login details into the fake application, they will immediately see a fake error message, and probably think no more of it:


Once they've finished whatever they were doing and left the PC, the attacker only has to sit down and browse to the C Drive where they'll see this:


As you probably guessed, any all login details typed into the fake application will be stored in this text file:


We detect this application as Fake Googletalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher


It's originalish as far as I can tell. I've never seen a program that phishes you and keeps the details ON the computer, instead of sending it somewhere else.
Good read as usual! Keep it coming!

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 8, 2008 10:58 PM.

Comments Working (Again!) was the previous entry in this blog.

More Fake Instant Messaging Scams is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.