Jump to content

Phishing Trick Targeting Google Relies on Data URIs to Mask the Page's Real URL


Batu69

Recommended Posts

This is harder to spot than other similar phishing campaigns

phishing-trick-targeting-google-relies-o

   Phishing page blocked by ESET

 

Google took down a recent phishing campaign that was abusing Goo.gl short URLs and an older data URI trick to mask the page's real URL and fool victims into thinking they were on the actual Google login page.

According to My Online Security, who analyzed this recent phishing campaign, crooks were spreading around a Goo.gl short URL, now taken down, which was redirecting users to a page on the nwfacilities[.]top domain.

Data URIs used for URL spoofing phishing scams

The problem was that this page contained source code that would refresh the page and replace its original URL with one that read, "data:text/html,https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue."

Except the "data:text/html" mention at the start of the URL, this is the actual, real-life link to the Google login page.

The nwfacilities[.]top would also load an iframe that covered the entire page, which was a carbon copy of the Google login page, but with one difference: the form's submit URL was sending all the data to the crook's servers.

Trick is somewhat effective, works only in Chrome

Even somewhat tech-savvy users would have a hard time detecting this phishing campaign, mainly because the URL contained the real Google login page.

Nevertheless, in the case of login pages, users should always keep in mind that the only prefix accepted to this kind of pages is "https://" and only "https://" and not any kind of data URI like "data:text/html" or others.

Fortunately, data URIs don't work across all browsers, since they're not universally supported in the same way. This particular page was effective only in Google Chrome and some Firefox versions.

Using data URIs for phishing is a very old trick, pioneered in the late 2000s, and eventually perfected by a researcher from the University of Oslo in Norway in 2012, when he created one of the first page-less phishing campaigns.

 

phishing-trick-targeting-google-relies-o

 Phishing page in action, notice the page's URL

 

Article source

Link to comment
Share on other sites


  • Views 437
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...