Monday, August 22, 2011

Be aware of Gmail phishing pages

Phishing is certainly not a new attack vector but attackers are constantly using it to fool victims into entering sensitive information like authentication credentials. As I mentioned in a blog post a couple of years back, such attacks will never go away as phishing is a trivially easy attack vector that can be used to steal sensitive personal information. There are number of popular websites being targeted in phishing campaigns to steal sensitive information. Recently, we came across one website claiming to be a Gmail login page. Here is the screenshot of the website:

The above page is largely identical to a legitimate Gmail login page but there are a couple of important differences to be noted. The address of the website is not “www.gmail.com” but rather points to “hxxp://kphb2040.110mb.com/Photosnewmine.htm”. Additionally, the copyright notice is out of date.

If you enter your username and password, the entered data will be sent to a malicious server and you will then be redirected to the legitimate Gmail website. The attacker has done this intentionally so that a victim will assume that the initial login wasn’t successful and they must then re-enter their login credentials.

Even if you enter fake information, you will be redirected to legitimate Gmail site. For testing purposes, we have entered fake account information. The following packet capture illustrates the POST request:

The victim’s email address and password has been sent to “input.php” and they are then redirected to the real “mail.gogle.com” website. There are plenty of such websites are present on the Internet and users should be cautious any time they are entering login credentials. Always check URL address before entering any sensitive information on a webpage. Instead of clicking on links, when possible manually enter the website address in the address bar.

Careful…

Umesh

1 comment: