How a scammer tries to steal your e-mail: Gmail fishing

This article is not a panacea for all security lacks, and it does not reveal any new attack vectors. I just saw a serious implementation of the fake for Google mail and decided to warn all UMumble users.

Recently, I have received an interesting letter, supposedly to confirm / cancel automatic forwarding to my mailbox.
What is immediately alerted me:

Gmail Team [email protected] seems like Google replies from its domains.

[email protected] has requested to automatically forward mail to your email
[email protected]

I did not set any automatic forwarding and the address is risky.

Let’s go into the source message and see something like that:

Delivered-To: [email protected]
Received: by with SMTP id a10csp64285vdd;
Fri, 13 Apr 2012 17:15:49 -0700 (PDT)
Received: by with SMTP id o41mr2024248wei.121.1334362548500;
Fri, 13 Apr 2012 17:15:48 -0700 (PDT)
Return-Path: <[email protected]>
Received:from ([])
by with ESMTPS id r8si11185472weq.31.2012.
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 13 Apr 2012 17:15:48 -0700 (PDT)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=;
Authentication-Results:; spf=neutral ( is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from apache by with local (Exim 4.72)
(envelope-from <[email protected]>)
id 1SIqpO-00026N-Vt
for [email protected]; Sat, 14 Apr 2012 02:26:59 +0200
Date: Sat, 14 Apr 2012 02:26:58 +0200
Message-Id: <[email protected]>
To: [email protected]
Subject: =?utf-8?B?KCM4MzUyMDgwODMpIEdtYWlsIEZvcndhcmRpbmcgQ29uZmlybWF0aW9uIC0gUmVjZWl2ZSBFbWFpbHMgZnJvbSB3ZWJmb3J3YXJkQGdvb2dsZS5jb20=?=
X-PHP-Script: for
From: =?utf-8?B?R23QsGlsINCi0LXQsG3CrQ==?= <[email protected]>
Content-type: text/html; charset=utf-8
Mime-Version: 1.0

So what did we see in there: / - anonym mailer.

So, what did they want from us? To unsubscribe, you need to follow the link:

which is actually:[email protected]

If we follow the link (in Mozilla is already barred), then we get on the phishing page with Google's favicon, etc.
It is very similar to paranoid Google, which likes to ask for a password. If we enter the password, it will go to an attacker, and if we submit it redirects to the mail (because when we followed the link we did not sign off!).

Be careful!
Tags: fake, fishing, gmail
Papay 14 may 2012, 10:18
Vote for this post
Bring it to the Main Page


Leave a Reply

Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute