Infosecurity
Raiting:
15

How a scammer tries to steal your e-mail: Gmail fishing


image
This article is not a panacea for all security lacks, and it does not reveal any new attack vectors. I just saw a serious implementation of the fake for Google mail and decided to warn all UMumble users.

Recently, I have received an interesting letter, supposedly to confirm / cancel automatic forwarding to my mailbox.
image
What is immediately alerted me:

Gmail Team [email protected]no-reply.com seems like Google replies from its domains.

[email protected] has requested to automatically forward mail to your email
[email protected]

I did not set any automatic forwarding and the address is risky.

Let’s go into the source message and see something like that:

Delivered-To: [email protected]
Received: by 10.52.15.234 with SMTP id a10csp64285vdd;
Fri, 13 Apr 2012 17:15:49 -0700 (PDT)
Received: by 10.216.132.169 with SMTP id o41mr2024248wei.121.1334362548500;
Fri, 13 Apr 2012 17:15:48 -0700 (PDT)
Return-Path: <[email protected]>
Received:from seromailco.com ([91.220.131.22])
by mx.google.com with ESMTPS id r8si11185472weq.31.2012.04.13.17.15.47
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 13 Apr 2012 17:15:48 -0700 (PDT)
Received-SPF: neutral (google.com: 91.220.131.22 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=91.220.131.22;
Authentication-Results: mx.google.com; spf=neutral (google.com: 91.220.131.22 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from apache by seromailco.com with local (Exim 4.72)
(envelope-from <[email protected]>)
id 1SIqpO-00026N-Vt
for [email protected]; Sat, 14 Apr 2012 02:26:59 +0200
Date: Sat, 14 Apr 2012 02:26:58 +0200
Message-Id: <[email protected]>
To: [email protected]
Subject: =?utf-8?B?KCM4MzUyMDgwODMpIEdtYWlsIEZvcndhcmRpbmcgQ29uZmlybWF0aW9uIC0gUmVjZWl2ZSBFbWFpbHMgZnJvbSB3ZWJmb3J3YXJkQGdvb2dsZS5jb20=?=
X-PHP-Script: 4003.ru/sende/send.php for 94.228.220.68
From: =?utf-8?B?R23QsGlsINCi0LXQsG3CrQ==?= <[email protected]>
Content-type: text/html; charset=utf-8
Mime-Version: 1.0

So what did we see in there: 4003.ru/sende / - anonym mailer.

So, what did they want from us? To unsubscribe, you need to follow the link:
https://mail.google.com/mail/vf-7c1083523-2vDb6Vv1a5G0cJEFvk_yq17eTQ0k

which is actually:
http://acc.check-googlemail.com/inbox/135410f73da242f/ServiceLogin/[email protected]

If we follow the link (in Mozilla is already barred), then we get on the phishing page with Google's favicon, etc.
image
It is very similar to paranoid Google, which likes to ask for a password. If we enter the password, it will go to an attacker, and if we submit it redirects to the mail (because when we followed the link we did not sign off!).

Be careful!
Tags: fake, fishing, gmail
Papay 14 may 2012, 10:18
Vote for this post
Bring it to the Main Page
 

Comments

Leave a Reply

B
I
U
S
Help
Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute