Google seems to be the target in a new phishing campaign the last week or two.  I have come across more and more of these – sometimes up to 10 a day.  Here’s what the landing page of this phishing site looks like:

 

googledocs

 

Here is the directory listing for this phishing kit:

files

 

 

 

 

 

 

 
At first glance this looks like the innards of a professional phishing site but looking closer it becomes clear that this is a patch job, consisting of parts of various website types – even parts of a WordPress site as evident in the

/video/index.php

page:
video

This site looks like a login page for Google Docs.  It has options for AOL / Gmail / Yahoo / Windows live / Other email accounts with which to log in with.  Clicking on any one of these links brings up the login box.

The homepage code isn’t really important here, but for reference, here it is:

http://pastebin.com/xTdngweL

What data is being collected:

/authentication/index.php

authentication

Something to note:

Line 3: Includes mail.php which contains only the email address where the collected data is mailed to, and the refresh url you are being redirected to after completing the form:
https://docs.google.com/templates?sort=rating&view=public

Line 7 – 12: This is the message body that gets sent to the attacker.

Line 13: Email address as per mail.php included in line 3.

Line 35: Redirect after form submission as per mail.php included in line 3.

The Phishing target

The attack here is two-fold.  Not only do they target your ‘Google Docs’ (this is now part of Google Drive) login but the attack is also aimed at your email account and online identity.  The sad truth is that a lot of people use the same password for everything.  They will thus use the actual password used to access for example their @gmail.com email address, as the password they use to sign up for services using their @gmail.com address.

Any data collected by this Phishing site will almost certainly be tested against both Google Docs / Drive as well as the login for the specific email provider.

 

|—————–|
The Pixel Forge
Contact us for hack removal and web security in the event of your site being compromised.