What’s the first thing you think when you see an URI which is very similar to, but not quite the same as, a site you know and trust?
I haven’t logged into Orkut for quite a while, so when Steph sent me an IM asking for my thoughts on ‘Orcut.com‘, I found myself both curious and deeply suspicious, even more so when I found there a perfect facsimile of the Orkut.com front page.
My immediate thought was ‘this must be a phishing site‘ – I imagined that behind the login page was likely to be some sort of scam asking for your credit card details, so decided not to log in to find out. I don’t have any information on Orkut that I’m not happy to be public, but still, I don’t like the idea of my username and password being in anyone else’s possession.
Curious as to what was going on, Steph and I did a quick Google. Our search kicked up a bunch of blog posts from people saying that if you couldn’t get into Orkut.com you should try Orcut.com or Orkat.com. Took a look at Orkat.com, and sure enough there’s another perfect facsimile of the front page of Orkut. Has to be phishers, we thought, and we weren’t alone.
Further down in the search results, though, is a post from Evan Williams, dated 9 May 04, saying:
There was a DNS snafu that’s made Orkut unreachable for many people for a while. If you need your fix, orkat.com works (or orcut or orcit).
Sure enough, Orcit.com works too.
A straw poll of #joiito showed that no one knew anything about these alternative domains, but James Roberts did a bit more digging and found that the name servers for these domains are NS1.GOOGLE.COM through NS4.GOOGLE.COM, and that the registrar is the same as Google.com.
So it seems that these sites aren’t phishing sites at all, but legitimate alternative domains for Orkut. Yet nowhere can we find any official information about them. Google have made no effort to communicate to Orkut users that these sites are legitimate – no messages, no email, no official announcement.
Maybe they felt that the snafu was temporary and they didn’t want people getting used to a different URI, but if that’s the case, why are these gateways still there?
I can’t help feeling unhappy with this. As James said on IRC, “I would be more comfortable if they just redirected to Orkut.com with a message.”
At a time when we should be encouraging people to be suspicious of anything that might be a phishing site, Google are being very irresponsible by creating three domains that are essentially based on typos of the original, and then failing to provide any indication that they are legitimate sites. This tactic is exactly the sort used by phishers to gain credit card information, and we should be teaching less savvy/paranoid web users to be suspicious of URIs which are one or two characters different from established and trusted sites.
I think it would be sensible if Google/Orkut either pulled these domains, or provided official notices – particularly on Orkut.com itself – that they are legitimate. It’s important that we do not lull less experienced users into a false sense of security over issues like this.