Attack of the Zombie Orkut Phishing Pages

Attack of the Zombie Orkut Phishing Pages

We have a retro-tinged phish for you today, illustrating how even a long dead website can be a danger to your logins.

Orkut was a Google run social network, invite-only and very popular in places like Brazil, India and the U.S.

Unfortunately, its users were frequent targets of scams, and I myself researched the first Worm on the Orkut network way back in 2006. Eventually, other Google services became more popular and the shutters came down for good in 2014.

Google have archived public posts for you to wade through at leisure, but should you wish to obtain copies of your other data you can do so at Google Takeout.

Your Orkut info is still recoverable

This is done by logging into your Google Account, navigating to the relevant Archive section and being offered a mixture of original format files and HTML.

Choose the format of your data download

In other words, your still-dead Orkut account has a value attached, in the form of your entirely still-alive Google login. As a result, you’ll still occasionally come across the odd fake Orkut frontpage asking for credentials:

Fake Orkut Login

The above is located at


The page reads as follows:

Who do you know? Connect to your friends and family using scraps and instant messaging Meet new people through friends of friends and communities Share your videos, pictures and passions all in one place

Sign in to orkut with your Google Account

There’s another one using the same layout and text at


Another fake Orkut login

These Zombie Login pages are effective whether the scammer intended any sort of “Reclaim your data” riff or not – it doesn’t matter if the page is a regular Orkut login (the ones above are straight copies of the old Orkut frontpage), or geared towards reclaiming Takeout data.

It doesn’t matter if the fakes were created last week, last month or last year. For as long as old users of Orkut associate it with a Google login, it will always be something that can be leveraged as a potential way in to a Google account whether Orkut is actually active or not.

Should the unwary end up on an Orkut phish by chance, they may well assume the phony site is somehow the first step to grabbing their old information.

With a few taps of the keyboard, their Google login will have been swiped (another good reason to use a password manager, incidentally, because they won’t go auto-filling your data on a fake website – assuming they have autofill and you’re making use of it, of course).

A single sign-on for multiple services is one way to lessen the impact on users where all of the products are managed by a single company, but this does mean that when one of those services fades into oblivion it can still end up being a gateway to phishing scams.

Whether you have fond memories of Orkut, scrapbooks and the occasional worm or your first response is “Orkut on the what now”, be mindful of where you’re entering your Google login – there’s a time and a place for handing over your email and password, and the above two websites are most definitely not it.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.