Quality phishing in Gmail
Good morning!
Checking your email account Google today, I came across a letter informing about the termination of services provided to me.
Naturally, this angered me at first, since I immediately remembered an article about a blocked Facebook user, who was not explained the reason for the blockage.
After a while, I decided to sort things out all the same, because it is unlikely that a good corporation suddenly became involved in this.
The title of the letter was very unusual for the usual phishing attacks: [Ticket # 2013474861215790] Termination of the provision of services - ______@gmail.com .
Then I decided to check the sender's postal address, expecting to see there something like ad352klwehoi@mail.com, but everything turned out to be even more interesting. The email address looked like this, I wonder what was even google + account plus.google.com/106499313174296424036/posts
It became interesting how events will develop further. The link address with the proposal to refute the complaint was of the form f205.in/r9.php?email=vasya.pupkin , making a logical conclusion that the attack was directed only at Gmail users.
Following the link, we will successfully redirect to the fake password confirmation page. And it turns out that everything in the address bar is also very good msg-google.com/, which itself redirects to mail.ru/
After entering the password and confirming it, successfully go directly to accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=default<mplcache=2
')
And to the malefactor your login and the password from mail leave.
Spam filters did not sort this email and it successfully got, for sure, to many users. So be extremely careful with your doubtful letters.
Checking your email account Google today, I came across a letter informing about the termination of services provided to me.
Naturally, this angered me at first, since I immediately remembered an article about a blocked Facebook user, who was not explained the reason for the blockage.
After a while, I decided to sort things out all the same, because it is unlikely that a good corporation suddenly became involved in this.
The title of the letter was very unusual for the usual phishing attacks: [Ticket # 2013474861215790] Termination of the provision of services - ______@gmail.com .
Then I decided to check the sender's postal address, expecting to see there something like ad352klwehoi@mail.com, but everything turned out to be even more interesting. The email address looked like this, I wonder what was even google + account plus.google.com/106499313174296424036/posts
It became interesting how events will develop further. The link address with the proposal to refute the complaint was of the form f205.in/r9.php?email=vasya.pupkin , making a logical conclusion that the attack was directed only at Gmail users.
Following the link, we will successfully redirect to the fake password confirmation page. And it turns out that everything in the address bar is also very good msg-google.com/, which itself redirects to mail.ru/
After entering the password and confirming it, successfully go directly to accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=default<mplcache=2
')
And to the malefactor your login and the password from mail leave.
Form data
continue: https: //accounts.google.com/b/0/UpdateAccountRecoveryOptions? hl = en & service = mail
dsh: 4942838251703901422
btmpl: va
GALX: Y0tsepwqG00
pstMsg: 1
dnConn:
checkConnection: youtube: 63: 1
checkedDomains: youtube
timeStmp:
secTok:
Login: vasya.pupkin@gmail.com
Password: qweasdzxc
signIn: Confirm
PersistentCookie: yes
rmShown: 1
dsh: 4942838251703901422
btmpl: va
GALX: Y0tsepwqG00
pstMsg: 1
dnConn:
checkConnection: youtube: 63: 1
checkedDomains: youtube
timeStmp:
secTok:
Login: vasya.pupkin@gmail.com
Password: qweasdzxc
signIn: Confirm
PersistentCookie: yes
rmShown: 1
Spam filters did not sort this email and it successfully got, for sure, to many users. So be extremely careful with your doubtful letters.
Source: https://habr.com/ru/post/167755/
All Articles