The Text, “data:” in a URL may Indicate a Phishing Site

I haven’t run across this myself, but it’s probably a good idea to be a bit wary of sites like this …

Phishing just like spam and the creation of malicious software in general is a cat and mouse game. When malicious code or attacks hit the web they work for a while before they are properly detected by security software. When that happens, they are modified or redesigned or build from scratch so that they are not detected anymore, which in turn requires security companies to create new protection mechanisms.

Phishing attacks are fairly common on the web. They are used to get information from users who fall prey to them. This may include authentication information for popular web services such as Gmail, Facebook or PayPal, but also other personal information such as credit card numbers or social security IDs.

A recent trend  is the use of data: uniform resource identifiers (URIs). The Hot for Security blog describes one of the attacks targeting Chrome users and their Google login in particular.

The attack begins with a mail, which is the dominant way that phishing attacks begin. Users are reminded in that email that they will be locked out of their account due to email storage quote issues in the next 24 hour period unless they increase their email storage automatically by clicking on the provided link.

As you may have guessed already, that link opens a page in the browser. What is new here is that it uses a data: URI to display contents.

gmail phishing data

The data URI scheme can be used to combine several web elements into a single HTTP request. Since information are encoded, it is not immediately clear if you are on a legitimate page or not, as you cannot just check if you see in the address bar or not.

While the absence of that is an indicator that something is wrong, it is likely that at least some users won’t realize that at all.

Chrome is targeted specifically according to the article because it is not displaying the full address in its address bar.

There are quite a few indicators why this is not a legitimate request. If you check the email, you will notice that the from address is not listing a address.

The second indicator is the data: url that is not used by Google or Gmail at all. And the third and final that the page is not using a secure connection.

So what can you do if you encounter such an email and don’t know if it is legitimate or not?

  • Check the from address but do not trust it too much. If it does not use a company domain, it is almost certain that it originated from a third-party.
  • If the email contains links, hover your mouse over the link but do not click on it. If you see an address that is not on a company domain, it is almost certain it is a phishing email.
  • If you are still not convinced, visit the website directly by opening your browser and typing it in manually. Important information should be displayed to you on start. If that is not the case, ignore the message.

Link to Original Content

Tags: , , , ,

Comments are closed.