Vimeo Members Hit by Phishing Email Scam
A high-level phishing attack targeted members of the video sharing site Vimeo, and purported to come from Washington Post reporters.
Vimeo, a popular online video sharing site, usually has the backing of the hacking and activist community (witness recent hacking attacks on internet service providers that have chosen to block Vimeo due to its use for video sharing). Yet a phishing attack late last week suggests that Vimeo's growing popularity may come at a price to those who have never even used the site.
Last Thursday, around 6 PM Eastern Time, a Vimeo user posted a comment to a Vimeo forum article indicating receipt of an email that purported to be from a Washington Post journalist.
That Vimeo forum is Vimeo's way of allowing users to report spam. Prior to the Thursday posting, there had been no more than twenty comments to the spam article in the past twelve months.
When the Vimeo user posted the comment, including the body of the email text, a Vimeo technical support representative responded saying that there was no record of an account by that name and that it appeared not to be an issue. Both that initial posting and the tech support representative's response has since been deleted, suggesting that Vimeo was not informed of the nature of the issue until Friday morning.
I received the phishing email on a non-public email address, which is also not registered with Vimeo, on Friday at 12:47 AM. Via the preview feature on an iPhone, without opening the email, I was able to determine it was spam, although the mail system did not flag it as spam.
A few hours later, I searched for key phrases in the email and found the Vimeo spam article noted above. By that time, 6:30 AM. on Friday, there were more than 120 responses to the spam article, with the last 100 being specifically about the phishing email.
The oldest comment still on the spam article is from a Vimeo user named Chris Cook, in which he provides the email's body text:
I found your video on vimeo.com (video-sharing site), can we publish your video on our news website?
Dilys Sullivan, journalist
The Washington Post (washingtonpost.com)
The phishing attack provides a set of links for the Washington Post "request" to post videos, including a link to reply to the purported message from within the Vimeo messaging system, a link to the user's profile and -- at least in Cook's case -- a third link. More recent copies of the email have risen in quality of text.
As of today at noon Eastern Time, there appear to be more than 300 posts about this specific spam message, and several interesting trends emerged.
First, the template copy was a very good copy, even showing it was sent from "email@example.com" for those who might initially think the email was spam.
"We became aware of phishing attempts earlier today," a Vimeo spokesperson wrote late Friday, almost 24 hours after the first posting appeared. "Third parties have copied Vimeo's email template and have been using that template to send phishing emails to many persons."
Second, the links within the emails point toward a Canadian on-line pharmacy, at least based on hovering over the link. For many users, however, the links resolve to other locations, including several German and Russian sites.
"The interior links, although they look like they are Vimeo, are clearly NOT from Vimeo," wrote Vimeo member Mandy Thomas. "If I hover over the interior links in the email, they are something else, not a Vimeo link. Below is the content of the emails I have been receiving. The only thing that changes is the name of the so-called Journalist ...".
Third, as Thomas mentions, it appears that every email in the phishing attack has a different name for the Washington Post "journalist": of the three emails that I received on my private email address, each purporting to be from a Washington Post journalist, the "journalist" name is different. A search of the Vimeo forum posting shows hundreds of different names being used.
Fourth, the phishing emails were sent not only to Vimeo users, but to many non-users, such as myself, that had not signed up for a Vimeo account.
"Third parties have copied Vimeo's email template," the Vimeo spokesperson reiterated in a written statement, "and have been using that template to send phishing emails to many persons including persons who do not have Vimeo accounts."
Fifth, given the fact that so many names are being used, it appears to be a sophisticated enough phishing attack that it brings in to question a security breach. Vimeo denies this has happened.
"Importantly, however, there has been no security breach at Vimeo and the responsible third parties are not using Vimeo's servers or database of emails to send these emails," the spokesperson noted. "We have informed users that this is happening and have instructed them not to respond to the emails."
Sixth, it is possible that each of the Washington Post "journalist" names is the name of another Vimeo user, spreading additional confusion.
For instance, in an email sent to Vimeo Plus user Visual Nomad, the journalist is a "Sliona White" and a user profile is given if Visual Nomad wanted to reply (vimeo.com/messages/user142695221) as well as a purported link to Sliona White's profile on Vimeo (vimeo.com/user142695221).
It is uncertain whether the user profile matches the name. If it does, however, this would indicate a potential data breach.
Seventh, the fact that it went to so many private accounts, and a very high number of Mac.com / Me.com addresses brings in to question whether the phishing attack generated from lists within Vimeo or the email service providers. For instance, a number of the phishing emails were generated from nk11p00mm-smtpin129.mac.com ([184.108.40.206]), a Mac.com email server.
Vimeo says it is working with email service providers, especially after non-Vimeo account holders received multiple "requests" from the Washington Post "journalist".
"We are also reaching out to email providers whose domains appear to be targeted to block these emails," the spokesperson noted.
Finally, while the Washington Post "request" emails have ceased, a number of spam emails offering to sell "high-quality medications online" have replaced the initial email.
Having never received spam on my personal account, I've now received six messages in the past two days. This again trends toward a potential security breach, at worst, or at best it indicates that the phishing attack was successful in raising the profile of the compromised Vimeo user accounts and non-users alike.
The Washington Post responded to the phishing attack with its own blog post.
"Spammers appear to be posing as journalists from The Washington Post and sending e-mails to users of the video-sharing site Vimeo," wrote the Washington Post's Andrew Pergam in a blog post late Friday afternoon.
"In those e-mails they're offering to run the videos on washingtonpost.com," Pergam continued, adding, "These e-mails are not coming from the Post. No one on our staff is seeking any information regarding Vimeo videos."
So what is the streaming industry to make of this attack? Is it just a sign of the growing popularity of online video, or a data breach? At this point there's no good answer.
Vimeo needs to be more forthcoming about the number of coincidental issues that trend toward a potential data breach, but the industry as a whole needs to begin to think about security issues -- beyond digital rights management -- that StreamingMedia.com has addressed in several articles over the past two years. By dealing with basic two-factor authentication of e-commerce and financial institutions, we can make the streaming industry safer for the average online video viewer.
As more and more employees use their smartphones on enterprise networks, security firms are taking a cue from content protection and controlled-access media technologies
Corporate IT managers grapple with the new bring-your-own-device culture, a new take on unified communications, and the rise of ECDN solutions.