This is not your run-of-the-mill phishing attack targeting login credentials from a single online brand. This greedy, two-stage scheme casts one net to rope in both Google and Facebook login credentials in the same session. The hope is that the user will be utilizing their mobile device and not paying attention to faulty details or legitimacy. Akamai’s Larry Cashdollar reported the scheme after being targeted by the attack in January of this year.
” I switched over to my laptop and logged into my personal Gmail account. One look at the sender address and my suspicions were confirmed. The email was a complete fake. The interesting thing is, the message looked much more convincing in its condensed state on my mobile device. ”
Larry Cashdollar, a member of Akamai’s Security Intelligence Response Team (SIRT)
The mobile user receives an email informing them that their Google account was accessed by a new device. In Larry Cashdollar’s case the email cited a new Windows device. Clicking on the “Consult the activity” link in the email redirects the victim to a fake Google login page. Google Translate is used to blanket the malicious domain in the address bar giving the impression of a believable Google domain instead. This allows the phisher to bypass Endpoint Defenses securing a device. On a mobile device, the address is minimized due to screen size, however, on a desktop the user can spot the malicious domain with a careful eye.
If the victim is fooled into entering their Google username and password, they are subjected to a second attack. This prompts a second login into a fake Facebook login page. The phisher not only receives the victim’s login credentials on both accounts, but can also receive their IP address, browser type, location and various levels of PII (Personal Identifiable Information: data that specifically identifies an individual).
Analysis on Phishing Method
The phisher heavily relies on the victim trusting that the title of the email is from a legitimate source. An Apple mobile user quickly glancing the email over may very well be convinced. Upon clicking the “Details” drop down, however, the user will easily notice the suspicious sender address ‘email@example.com’. The first thing a savvy account holder will question is why they are being sent a Google security alert from Facebook to begin with. Facebook and Google each have their own separate security teams and notification systems. Most importantly, they will never report on each other’s user accounts. Secondly, Facebook’s proper email domain is ‘facebookmail.com’ – a user will never receive a Facebook notification via Hotmail or any other email domain. This also applies to Google which uses its own email domain as well.
“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”
Carefully comparing a legitimate Google security alert notification with the phishing email will help highlight the incorrect wording used by the Phisher. One glaring difference is that Google’s link to your activity is stated as “CHECK ACTIVITY”. This won’t lead to a second, redundant login prompt, but will actually lead you to your recent account activity. Further, the Facebook login page in the second attack is an outdated mobile login page. This suggests that a kit is being used, purchased from an underground forum for the purpose of illegally collecting user data.
Enabling two-factor authentication renders any phishing email inapplicable. It will require the phisher to be in possession of your mobile device in order to login. Google recommends reporting phishing sites and created a page specifically for that purpose.
“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.