data: in the browser address bar may indicate a phishing site

Martin Brinkmann
May 15, 2014

Phishing just like spam and the creation of malicious software in general is a cat and mouse game. When malicious code or attacks hit the web they work for a while before they are properly detected by security software. When that happens, they are modified or redesigned or build from scratch so that they are not detected anymore, which in turn requires security companies to create new protection mechanisms.

Phishing attacks are fairly common on the web. They are used to get information from users who fall prey to them. This may include authentication information for popular web services such as Gmail, Facebook or PayPal, but also other personal information such as credit card numbers or social security IDs.

A recent trend  is the use of data: uniform resource identifiers (URIs). The Hot for Security blog describes one of the attacks targeting Chrome users and their Google login in particular.

The attack begins with a mail, which is the dominant way that phishing attacks begin. Users are reminded in that email that they will be locked out of their account due to email storage quote issues in the next 24 hour period unless they increase their email storage automatically by clicking on the provided link.

As you may have guessed already, that link opens a page in the browser. What is new here is that it uses a data: URI to display contents.

gmail phishing data

The data URI scheme can be used to combine several web elements into a single HTTP request. Since information are encoded, it is not immediately clear if you are on a legitimate page or not, as you cannot just check if you see in the address bar or not.

While the absence of that is an indicator that something is wrong, it is likely that at least some users won't realize that at all.

Chrome is targeted specifically according to the article because it is not displaying the full address in its address bar.

There are quite a few indicators why this is not a legitimate request. If you check the email, you will notice that the from address is not listing a address.

The second indicator is the data: url that is not used by Google or Gmail at all. And the third and final that the page is not using a secure connection.

So what can you do if you encounter such an email and don't know if it is legitimate or not?

  • Check the from address but do not trust it too much. If it does not use a company domain, it is almost certain that it originated from a third-party.
  • If the email contains links, hover your mouse over the link but do not click on it. If you see an address that is not on a company domain, it is almost certain it is a phishing email.
  • If you are still not convinced, visit the website directly by opening your browser and typing it in manually. Important information should be displayed to you on start. If that is not the case, ignore the message.
data: in the browser address bar may indicate a phishing site
Article Name
data: in the browser address bar may indicate a phishing site
If you see data: in the address bar, especially after you have clicked on a link in an email, you may be on a phishing website.

Previous Post: «
Next Post: «


  1. Tom said on May 16, 2014 at 8:54 pm

    Good thing I looked at the address bar before. I have had three of these sent to me.

  2. InterestedBystander said on May 15, 2014 at 7:56 pm

    “…visit the website directly by opening your browser and typing it in manually” — And maybe do that in a browser that’s well-secured against Javascript, Java, insecure plug-ins like Flash and Acrobat, etc.

  3. Dave said on May 15, 2014 at 5:27 pm

    What makes this specific to Chrome?

    1. Martin Brinkmann said on May 15, 2014 at 6:05 pm

      It is not Chrome specific, but Chrome users seem to be targeted according to Bitdefender.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.