In what looks to be an attempt at getting more for less, scammers behind a number of recent Phishing attacks are attempting to harvest more than one set of credentials from a single source.
Examining a set of shortened URLs, which were pointed at hosted Phishing websites, researchers from Trend Micro discovered that the person(s) behind the scheme were allowing the victim to enter credentials from various sources.
In one example, the website allows the victim to select between Yahoo, AOL, Windows Live, Gmail, or – if they wish – any other account via an option labeled "Other emails."
The credentials are requested in order to access the Phishing lure. In this case, the lure is a website designed to mimic Facebook, Google Docs (despite the fact the service is now called Google Drive), Microsoft's OneDrive, or various property pages.
"It’s interesting to note that the pages accept any words or even gibberish typed in - a sure sign that the pages are more concerned with collecting data," the Trend Micro blog explained.
"After signing in, users may encounter a 'loading' or 'server error' notification before they are led to the actual site. For example, users who visit the 'Google Docs' site are led to a shared document about intentions for prayers."
The point that the attack actually redirects the victim to the actual website shows that the criminals are hoping to keep the attack alive as long as possible. However, given that the forms accept any input, clearly all they're after is the credentials.
As far as awareness goes, it's a good idea to remind users that shortened URLs shouldn't be trusted unless they've come from a known / valid source. However, it's rare to see them in legitimate work-related messages, and most personal correspondence avoids them as well.
If someone does follow a maliciously shortened link, traditional anti-Phishing training should still come into play, as the URLs in this particular attack – and others like it – are easily identified by examining the address bar.