Last week McAfee Labs received a phishing page that efficiently uses the CSS format of the Gmail login page and appears to be a legitimate Gmail page. When we opened the malformed HTML file we sometimes saw this warning:
After the warning, the following Gmail login page appeared. Even the tech savvy could fall prey to this phishing hook because the entire page, except for the “Sign In” button, is present on the legitimate Gmail CSS.
The only catch was the URI, which showed “data:text/html;base64,DQo8IURPQ1RZUEUgaHRtbD…” instead of gmail.com. The complete HTML page was Base 64 encoded to evade basic antispam gateways. Part of the Base 64–decoded HTML page follows:
Once a victim enters username and password and signs in, the data in the login form is exfiltrated to an unsecured remote server. We sniffed the packets sent to the remote server and found that the username and password were sent in an unencrypted form over an unsecured HTTP protocol. This makes the theft even worse because credentials could easily be snooped through man-in-the-middle or eavesdropping attacks.
Once the credentials are covertly exfiltrated to the remote server, the victim is redirected to the Gmail page. We were surprised to see that these actors have not secured their web servers. We walked through their directory listings and found that they are clearly responsible for stealing user credentials from various portals. Here are a few of their live phishing pages on the unsecured server:
We went a step further and found that the actors have used virtual web hosting techniques and registered multiple domain names that use the same IP address: 126.96.36.199. Some of the domains serving other phishing campaigns were active during our research.
Some of the domains are mentioned below:
While closely looking at some of the preceding domains, we found a few that were registered through the same email address in the past:
Among these, some live domains, including flayconcepts.com, purtglobal.com, and sparboh.net, contain malicious phishing pages. Email ID firstname.lastname@example.org has registered multiple malicious domains, so the owner of this email ID might be the one of the actors running this malicious activity.
These actors seem to have used the open-source Gmail hack code available in Github:
Though the intent of the open-source scripts is to educate enthusiasts and novices in ethical hacking, there are always opportunities for abuse.
McAfee products offer coverage for all of these phishing variants as Phish-SiteFraud.