Phishing just like spam and the creation of malicious software in general is a cat and mouse game. When malicious code or attacks hit the web they work for a while before they are properly detected by security software. When that happens, they are modified or redesigned or build from scratch so that they are not detected anymore, which in turn requires security companies to create new protection mechanisms.
Phishing attacks are fairly common on the web. They are used to get information from users who fall prey to them. This may include authentication information for popular web services such as Gmail, Facebook or PayPal, but also other personal information such as credit card numbers or social security IDs.
A recent trend is the use of data: uniform resource identifiers (URIs). The Hot for Security blog describes one of the attacks targeting Chrome users and their Google login in particular.
The attack begins with a mail, which is the dominant way that phishing attacks begin. Users are reminded in that email that they will be locked out of their account due to email storage quote issues in the next 24 hour period unless they increase their email storage automatically by clicking on the provided link.
As you may have guessed already, that link opens a page in the browser. What is new here is that it uses a data: URI to display contents.
The data URI scheme can be used to combine several web elements into a single HTTP request. Since information are encoded, it is not immediately clear if you are on a legitimate page or not, as you cannot just check if you see google.com in the address bar or not.
While the absence of that is an indicator that something is wrong, it is likely that at least some users won't realize that at all.
Chrome is targeted specifically according to the article because it is not displaying the full address in its address bar.
There are quite a few indicators why this is not a legitimate request. If you check the email, you will notice that the from address is not listing a google.com address.
The second indicator is the data: url that is not used by Google or Gmail at all. And the third and final that the page is not using a secure connection.
So what can you do if you encounter such an email and don't know if it is legitimate or not?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.