roddy Posted July 30, 2010 at 03:03 AM Report Posted July 30, 2010 at 03:03 AM Just had an attempt to log in to my Gmail account mysteriously redirect to the Hebei registered NDNS01.com. Spotted it before any damage was done I think, but have changed my password anyway. Will be making sure I'm using overseas DNS servers (Google 'OpenDNS' or 'Google DNS') and firing up the VPN a bit more often, I think. Reports of similar occurrences here (in Chinese). 1 Quote
zhwj Posted July 30, 2010 at 04:23 AM Report Posted July 30, 2010 at 04:23 AM Your link doesn't work for me, but this one does. Scary stuff. Quote
roddy Posted July 30, 2010 at 04:38 AM Author Report Posted July 30, 2010 at 04:38 AM Edited the link. Yeah, it was pretty worrying - if it hadn't been for the Firefox pop-in bar asking me if I wanted NDNS01.com to store the password (hmmm, suppose I must have submitted it then. Changed now anyway) I probably wouldn't have spotted it. Something else to do is to make sure your Gmail bookmark is the https one - mine wasn't, but it certainly is now. Quote
valikor Posted July 30, 2010 at 04:45 AM Report Posted July 30, 2010 at 04:45 AM Something unusual happened to me today, too, when I accessed my Gmail. Usually Chrome stores my username and password (usually=always). But today, it came up blank. I logged in with my username and password. Then, I got another form (looked the same), which had my username filled in and wanted my password. I assumed some cookie had expired or something, but reading this, I realize that maybe I was careless. Password changed Quote
gato Posted July 30, 2010 at 05:06 AM Report Posted July 30, 2010 at 05:06 AM There are also reports of NDNS01.COM being used to phish for MSN and Baidu passwords. http://hi.baidu.com/%CA%A5%B8%E7/blog/item/ab0beb1a76e681f7ae513387.html 谨慎!一样的页面并不表明一样的站点 2010-07-09 19:35 http://hi.baidu.com/hanhell/blog/item/952bc2fc5ca82f8fb901a0be.html NDNS01.COM & 百度 The reports seem to have started in July. Note that NDNS01.com's WHOIS record was most recently updated on July 5, 2010. http://www.betterwhois.com/bwhois.cgi?verification=2766&domain=ndns01.com&submitbtn=Continue NDNS01.COM WHOIS Domain Name : ndns01.com Creation Date : 2009-05-31 21:06:58 Updated Date : 2010-07-05 00:28:03 Expiration Date : 2012-05-31 21:06:54 Administrative Contact: Name : gu long Organization : gu long Address : shijiazhuang City : shijiazhuang Province/State : hebei Country : cn Postal Code : 050043 Phone Number : 86-031-187935114 Fax : 86-031-187935116 Email : longcon@sina.com 1 Quote
gougou Posted July 30, 2010 at 05:23 AM Report Posted July 30, 2010 at 05:23 AM I just changed my DSN server to Google's, and accessed Gmail via the https (I usually did so) and still was asked whether I wanted to store my password for ndns01.com... Quote
roddy Posted July 30, 2010 at 05:24 AM Author Report Posted July 30, 2010 at 05:24 AM You may have a 'history' link near the footer of your Gmail pages (next to the recent activity notice?) which will show you IP addresses recently used to access your account. Nothing odd on mine. Quote
gato Posted July 30, 2010 at 05:35 AM Report Posted July 30, 2010 at 05:35 AM There's a new thread on the Gmail support forum about the hijacking. http://www.google.com/support/forum/p/gmail/thread?tid=7958ccba953d992c&hl=en Can the gmail team do anything about reported gmail hijacking? 1 Quote
roddy Posted July 30, 2010 at 05:51 AM Author Report Posted July 30, 2010 at 05:51 AM Pretty sure they can't do anything at their end. Oh, perhaps they can use their excellent relationship with the Chinese government to . . . never mind. . . Quote
valikor Posted July 30, 2010 at 02:40 PM Report Posted July 30, 2010 at 02:40 PM Happened again... I was suspicious because Chrome did not auto-fill my username and password. So, I intentionally entered an incorrect password. I got no error message, but was rather sent to another login page. 1 Quote
roddy Posted July 30, 2010 at 02:52 PM Author Report Posted July 30, 2010 at 02:52 PM Sort out your DNS - ie, eg. However, if you're using some kind of client software from your ISP to access the Internet, it may reset your DNS. The client for my 3G card did this until I figured out how to get rid of it. Keep an eye on it, see if it changes back. Another problem with doing that is that wireless networks that require you to log in / accept T&C's via a webpage - in Beijing Sculpting in Time, Costa Coffee, and no doubt others - won't be able to redirect you to that webpage if you are specifying DNS servers. I think that's why I'd reverted from the Google DNS. Trick is to access the page directly. 1 Quote
adrianlondon Posted July 30, 2010 at 03:11 PM Report Posted July 30, 2010 at 03:11 PM Could you change bookmarks to specify exact IP addresses? Quote
roddy Posted July 30, 2010 at 05:58 PM Author Report Posted July 30, 2010 at 05:58 PM Probably could, but I think specifying https is enough, as you'll then get a warning if the certificate doesn't match. Quote
m000gle Posted July 30, 2010 at 06:16 PM Report Posted July 30, 2010 at 06:16 PM I can't say for sure if specifying https will fix the problem, but it could help and certainly can't hurt. If you're using Firefox, you should take a look at this extension which automatically switches you from the unencrypted http page, to the encrypted https one for a lot of popular websites. Also, is this still a problem when using a VPN? This could be useful in determining if it is actually DNS poisoning within China. Quote
morpheus Posted July 31, 2010 at 08:40 AM Report Posted July 31, 2010 at 08:40 AM Somehow I suspect picking an https connection will be a little pointless. Gmail always redirects to the https login page. There is an option (if it isn't default yet) to read all email over https. If you go to gmail.com and aren't redirected automatically to an https page, then you have the wrong site. The way I see it, if the guy is clever (he should be at least a little) he could redirect from gmail to his https server provided a certificate for his fake site (signed by Verisign or whoever, which can be arranged). Firefox should gladly accept that without warning, because then it would be for the "correct" site. If his fake certificate is not signed, then you will get a warning about that. If he isn't running an https server, you would get some error message or timeout. SSL is not guaranteed protection against truly resourceful people. See http://www.networkworld.com/community/node/64074 Quote
xiaojiang216 Posted August 3, 2010 at 02:17 PM Report Posted August 3, 2010 at 02:17 PM Hi all - To avoid this kind of problem, does it make sense to have my Gmail mail forwarded to my school e-mail address before I go to China? Quote
morpheus Posted August 3, 2010 at 04:22 PM Report Posted August 3, 2010 at 04:22 PM Hi all -To avoid this kind of problem, does it make sense to have my Gmail mail forwarded to my school e-mail address before I go to China? Yes, that would work. I'm not sure how pervasive the initial problem was, however. Quote
crisgee Posted August 4, 2010 at 02:00 PM Report Posted August 4, 2010 at 02:00 PM This happened to me just now. So i immediately changed my password. 1 Quote
Koterpillar Posted August 9, 2010 at 09:53 AM Report Posted August 9, 2010 at 09:53 AM Does everyone affected have the Namipan (纳米盘) Firefox extension? For me, the problem only occurred in Firefox, therefore it's not ISP or DNS, as suggested. After removing said extension, the page was no longer stealing the password. 1 Quote
gougou Posted August 10, 2010 at 01:10 AM Report Posted August 10, 2010 at 01:10 AM I do not have that extension, and still it occurred. But as it did not happen every time I accessed gmail, maybe you just happened to be using Firefox at the time it happened? 1 Quote
Recommended Posts
Join the conversation
You can post now and select your username and password later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.