Category Archives: phishing

Login-stealing phishing sites conceal their evil with lots of hyphens in URL

Researchers at PhishLabs recently spotted a trend emerging in malicious web sites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from, by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers.

"The tactic we're seeing is a tactic for phishing specifically mobile devices," said Crane Hassold,  a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID).

Hassold called the tactic "URL padding," the front-loading of the web address of a malicious web page with the address of a legitimate website. The tactic, he said, is part of a broad credential-stealing campaign that targets sites that use an e-mail address and password for authentication; PhishingLabs reports that there has been a 20 percent increase overall in phishing attacks during the first quarter of 2017 over the last three months of 2016. The credentials are likely being used in other attacks based on password reuse.

Read 6 remaining paragraphs | Comments

Google phishing attack was foretold by researchers—and it may have used their code

Enlarge (credit: Sean Gallup / Getty Images)

The "Google Docs" phishing attack that wormed its way through thousands of e-mail inboxes earlier this week exploited a threat that had been flagged earlier by at least three security researchers—one raised issues about the threat as early as October of 2011. In fact, the person or persons behind the attack may have copied the technique from a proof of concept posted by one security researcher to GitHub in February.

The issue may not technically be a vulnerability, but the way Google has implemented its application permissions interface—based on the OAuth 2 standard used by a large number of Web application providers—makes it far too easy to fool unsuspecting targets into giving away access to their cloud, e-mail, storage, and other Google-associated accounts. The websites used in the phishing attack each used domains that mimicked Google's in some way. The sites would call a Google Apps Script that used Google's own authentication system against itself. The malicious Web application (named "Google Docs") was delivered by an HTML e-mail message that looked so much like a genuine Google Docs sharing request that many users just sailed right through the permissions requested without thinking.

Researchers have repeatedly warned Google about this potential social engineering threat, and this shortcoming had already been exploited in malicious e-mails used by an alleged state actor. While Google quickly shut down the malicious application's access to customers' credentials, the threat remains, since all it takes to relaunch a campaign is to configure another application with Google's authentication API.

Read 10 remaining paragraphs | Comments

Google adds phishing protection to Gmail on Android

 Following the widespread phishing scam that affected Google Docs and Gmail users this week, Google says it’s now rolling out a new security feature in its Gmail application on Android that will help warn users about suspicious links. This feature may not have prevented this week’s attack, however, as that attack involved a malicious and fake “Google Docs” app that… Read More

Here’s Google’s official statement on today’s fast-spreading phishing attack

 Early this afternoon, a new type of phishing attack popped up targeting Google Docs/Gmail users and spread like crazy. Well disguised and infuriatingly subtle, just a click or two (on what was an actual Google-hosted URL, no less) handed some mystery attacker the ability to read your Gmail and forwarded the phishing attack to everyone you’d ever emailed. The attack was simple, but… Read More