Phishing attack uses data URI to target Google accounts

A new Phishing attack using data URI is targeting Google accounts with a high degree of success

Phishing key

A new Phishing attack that's based on data URI (uniform resource identifier) is targeting Google accounts with a high degree of success. Because of the way the attack is carried out, detection via standard means, such as heuristics, has become problematic.

In a statement, Catalin Cosoi, Chief Security Strategist at BitDefender, said that with access to a person's Google account, criminals could do all sorts of things - from purchasing apps on Google Play, to compromising email and documents, or expanding the attack to the victim's social circle via email or Google+.

The scam starts with an email:

This is a reminder that your email account will be locked out in 24hours
Due to not being able increase your Email storage Quota
Go to the INSTANT NCREASE to increase your Email storage automatically
Sincerely Gmail Team,

The subject line in the messages will differ. Some will say "Mail Notice," while others may use "New Lockout Notice."

"What is interesting about this phishing attack is that users end up having the 'data:' in their browser’s address bar, which indicates the use of a data URI scheme," said Cosoi.

Using data URI to conduct a Phishing campaign is a tactic that's been known since 2007, but the topic gained additional attention after Henning Klevjer, who was a student at the University of Oslo in Norway at the time, published a paper on the topic in 2012.

By using data URI in a Phishing attack, the page's content is encoded in Base64, which enables a page-less Phishing attack.

Normally, criminals need to host their Phishing content somewhere. With data URI, that obstacle is removed.

In Klevjer's paper, he turned 24,682 character Phishing example into a 26 character link by using a URL shortening service. The result was a perfectly rendered Wikipedia login page. For context, proper formatting for data URI looks like this:


Phishing with data URI isn't common, but it's tricky because this type of attack is one that would bypass most at-a-glace anti-Phishing checks, and more importantly, bypass some security measures such as heuristics, Web filtering, and reputation filtering.

Most browsers limit the volume of data that can be packed into a URI. Yet, in the attacks observed by BitDefender, users on Google's Chrome are able to see the fully rendered page, but what they can't see is the entire data URI string.

This lack of visibility has prevented most victims form realizing that they're on a Phishing page - assuming they have the knowledge to recognize Base64 to begin with.

Realistically, Base64 is unfamiliar to most people, so naturally it's trusted. This misplaced trust has led to a large number of compromised Google accounts, but BitDefender didn't disclose the exact figures.

Technology alone isn't going to stop this scam from spreading. It might help, because some email filters will flag these messages based on the subject lines alone, and others will start flagging based on the content of the message. But it won't fully prevent this message from hitting a user's inbox.

A solid level of awareness is what's going to kill this scam.

The message itself is a red flag. The broken grammar stands out, as does the improper name for Google's service. The mixing of uppercase and lowercase letters and the tone of the message, both done to promote a sense of urgency, only adds another layer of skepticism to a message that should just be ignored and deleted.

While unique, this isn't the first time Google users have been targeted. Earlier this year, a Phishing scam that leveraged Google Drive caused a good deal of concern.

Using Google Drive, criminals emailed links to perspective marks, directing them to open an "important document." Once accessed, the victim was presented with a standard Google login page, and prompted to enter their username and password.

Symantec, the company that discovered the scam, said that the issue was compounded by the fact that the Phishing pages were being delivered by Google's own servers over SSL – meaning that most victims were instantly fooled by the presentation.

"The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages," Symantec's Nick Johnston wrote at the time.

In the earlier attack, a PHP script delivered the harvested credentials, and once the attacker got their prize, the victim was then forwarded over to the real Google Drive - unaware that they've been had.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)