Thursday, February 27, 2014

Gmail Phishing Attack - Why the Anti-spam Solutions Fail to Trigger ?

Update: 5th March, 2014

Note: I am concerned because it got delivered to my personal gmail inbox -:)

It looks like the phishing attack discussed earlier (a week ago) on gmail users is still underway. Although, the attack is public now, the endpoint security solutions deployed by Google still fails to mark the emails as phished. The latest snapshot of this attack is presented below:

Links: 
  • hxxp://croydon.com.br/phpthumb/serv/serv/Login.htm 
  • hxxp://croydon.com.br/phpthumb/serv/serv/badu.php






It is not a reliable way to depend heavily on safe-browsing all the time for blacklisting the phishing websites rather the prevention has to be triggered at the time of origin. Let's see how long this continues. 

-------------------------------

A recent targeted phishing attack has been launched against gmail.com users. Interestingly, the email slipped through Google end point security solution which fails to detect the spam email and served it properly to the user's inbox.


Visiting the link results in the following webpage showing the same layout as of Gmail. 


Malicious Check: 

Overall, basic steps:
  1. The user is redirected and served with a gmail.com webpage here: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/Login.htm
  2. The form submission sends all the POST data to: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/badu.php
  3. The user redirects successfully to legitimate gmail.com webpage: hxxps://accounts.google.com/

The website is hosted on a CMS hosting server as shown below:


Overall, it might not be that sophisticated attack, but a few inferences:
  • Smart user would have detected that this is a trick even it is delivered to inbox.
  • Big issue, the anti-spam solutions in Google's network fails to detect it and mark it as phished. 
  • There might be a possibility that a few users would have fallen to this trick but we cannot be sure.
  • The attacker used a compromised network infrastructure to execute this attack. A healthcare provider hosting account is compromised.
  • This type of attack if remains active for only few minutes could have already garnered a good set of accounts.
Do not fall for this trap !