Clever Phishing Attacks Target Google, Yahoo, DHL Customers

By on Feb 16, 2016

Last week McAfee Labs received a phishing page that efficiently uses the CSS format of the Gmail login page and appears to be a legitimate Gmail page. When we opened the malformed HTML file we sometimes saw this warning:

Warning

After the warning, the following Gmail login page appeared. Even the tech savvy could fall prey to this phishing hook because the entire page, except for the “Sign In” button, is present on the legitimate Gmail CSS.

login

The only catch was the URI, which showed “data:text/html;base64,DQo8IURPQ1RZUEUgaHRtbD…” instead of gmail.com. The complete HTML page was Base 64 encoded to evade basic antispam gateways. Part of the Base 64–decoded HTML page follows:

decoded
Once a victim enters username and password and signs in, the data in the login form is exfiltrated to an unsecured remote server. We sniffed the packets sent to the remote server and found that the username and password were sent in an unencrypted form over an unsecured HTTP protocol. This makes the theft even worse because credentials could easily be snooped through man-in-the-middle or eavesdropping attacks.

network

Once the credentials are covertly exfiltrated to the remote server, the victim is redirected to the Gmail page. We were surprised to see that these actors have not secured their web servers. We walked through their directory listings and found that they are clearly responsible for stealing user credentials from various portals. Here are a few of their live phishing pages on the unsecured server:

directory

 

We went a step further and found that the actors have used virtual web hosting techniques and registered multiple domain names that use the same IP address: 104.193.142.193. Some of the domains serving other phishing campaigns were active during our research.

dhl

yahoo

Some of the domains are mentioned below:

virustotal1

While closely looking at some of the preceding domains, we found a few that were registered through the same email address in the past:

domain_relatedtomercypalace

Among these, some live domains, including flayconcepts.com, purtglobal.com, and sparboh.net, contain malicious phishing pages. Email ID mercypalace2000@yahoo.com has registered multiple malicious domains, so the owner of this email ID might be the one of the actors running this malicious activity.

These actors seem to have used the open-source Gmail hack code available in Github:

  • https://github.com/ianvizarra/gmail-phishing-code

Though the intent of the open-source scripts is to educate enthusiasts and novices in ethical hacking, there are always opportunities for abuse.

McAfee products offer coverage for all of these phishing variants as Phish-SiteFraud.

About the Author

Devendra Singh

Devendra Singh is a Research Scientist with McAfee Labs. He enjoys working on latest threats and figuring out ways to protect customers from them. His hobbies include playing cricket and reading books.

Read more posts from Devendra Singh

Subscribe to McAfee Securing Tomorrow Blogs