SCF Advanced Search

  • Total Members: 14062
  • Latest: jagwire
  • Total Posts: 41441
  • Total Topics: 14944
  • Online Today: 614
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Clever Phishing Attacks Target Google, Yahoo, DHL Customers  (Read 2383 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Clever Phishing Attacks Target Google, Yahoo, DHL Customers

Last week McAfee Labs received a phishing page that efficiently uses the CSS format of the Gmail login page and appears to be a legitimate Gmail page. When we opened the malformed HTML file we sometimes saw this warning:

After the warning, the following Gmail login page appeared. Even the tech savvy could fall prey to this phishing hook because the entire page, except for the “Sign In” button, is present on the legitimate Gmail CSS.

The only catch was the URI, which showed “data:text/html;base64,DQo8IURPQ1RZUEUgaHRtbD…” instead of The complete HTML page was Base 64 encoded to evade basic antispam gateways. Part of the Base 64–decoded HTML page follows:

Once a victim enters username and password and signs in, the data in the login form is exfiltrated to an unsecured remote server. We sniffed the packets sent to the remote server and found that the username and password were sent in an unencrypted form over an unsecured HTTP protocol. This makes the theft even worse because credentials could easily be snooped through man-in-the-middle or eavesdropping attacks.

Once the credentials are covertly exfiltrated to the remote server, the victim is redirected to the Gmail page. We were surprised to see that these actors have not secured their web servers. We walked through their directory listings and found that they are clearly responsible for stealing user credentials from various portals. Here are a few of their live phishing pages on the unsecured server:

We went a step further and found that the actors have used virtual web hosting techniques and registered multiple domain names that use the same IP address: Some of the domains serving other phishing campaigns were active during our research.

Some of the domains are mentioned below:

While closely looking at some of the preceding domains, we found a few that were registered through the same email address in the past:

Among these, some live domains, including,, and, contain malicious phishing pages. Email ID has registered multiple malicious domains, so the owner of this email ID might be the one of the actors running this malicious activity.

These actors seem to have used the open-source Gmail hack code available in Github:

Though the intent of the open-source scripts is to educate enthusiasts and novices in ethical hacking, there are always opportunities for abuse.

Intel Security products offer coverage for all of these phishing variants as Phish-SiteFraud.

original article:
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising