Advanced phishing with Google's legitimate SSL

About two months ago, we had posted about a phishing scam who used the services Google Docs and Google Drive. She herself κυκλοφορεί και πάλι, αλλά αυτή τη φορά είναι πιο αποτελεσματική από τα εκατομμύρια των μηνυμάτων that we see every day, because the Google Drive phishing page is served over SSL by the legitimate Google Drive service itself.

Αυτοί που εξετάζουν αν μια σελίδα είναι phishing εστιάζουν περισσότερο στην οπτική επιθεώρηση του URL για να βεβαιωθούν ότι η σύνδεση είναι ασφαλής. Είναι μια καλή προσέγγιση, αλλά δεν θα βοηθήσει στην against this specific attack.

As in the past, the intruder's phishing message uses a simple Google Docs theme and contains a URL pointing to a phishing page hosted on the Google Drive file storage:

Phishing
Figure 1. Google Drive phishing page

However, this time the they have made a small mistake. In the bottom corner of the page, there is a language selection window. For someone who is careful this could be a red flag that something is wrong. It looks like phishers accidentally defaced the page, as some language names are presented with a question mark on each side :

Google Drive Phishing 1

Figure 2. Damaged language options

This corruption is probably because Google lists the languages ​​as it is in the speaking countries: for example, Korean is listed in the Korean language with the Hangul alphabet: 한국어. When phishers stored a copy of the Google page, they probably did not use character encoding in UTF-8 but ISO-8859-1 (Latin-1), which causes this error in fonts.

Many of the victims can not see this error on the page because it is at a corner and is not visible. Even if the victim notices the wrong fonts, he may think it is a small bug or a problem with their own computer.

Stolen credentials are sent to a PHP script located on a broken server:

Phishing 2

According to Symantec, this script has the same name (performact.php) that we saw in the fraud we published two months ago, suggesting that the attack group is the same (or at least using the same phishing packet). The script redirects the victim into a document hosted on Google Drive and is designed to send credentials to the attackers.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).