Zscaler Finds Gmail Phishing Website

By Fahmida Y. Rashid  |  Posted 2011-08-27

Security researchers at Zscaler recently came across a phishing Website masquerading as a Gmail login page. Unless users are very vigilant, they can easily be tricked by the page, according to Umesh Wanve , a senior security research engineer at Zscaler.

Cyber-attackers are increasingly using phishing scams to fool victims and steal sensitive information. "Such attacks will never go away as phishing is a trivially easy attack vector," Wanve wrote on Zscaler Research Aug. 22.

A number of popular Websites are regularly targeted in phishing campaigns, such as the login page for Google's hosted email service, Gmail. The phishing page the Zscaler team uncovered is "largely identical" to a legitimate Gmail login page, Wanve said.

"There are plenty of such websites are present on the Internet and users should be cautious any time they are entering login credentials," Wanve said.

In the case of this particular Gmail phisihing page, the address is clearly not gmail.com or mail.google.com, but some random domain such as kphb2040.com. The copyright notice at the bottom of the page is out of date, claiming to be from 2006.

The differences are so subtle as to be worrisome. How many people look at the copyright date or the URL when going to known and trusted sites? As paranoid as I am, I can't even recall the last time I checked the date on the bottom of the screen. I do occasionally check the URL, but more to verify I am in the right place if something else triggers my suspicious-meter.

It's not a regular habit to check the URL, although the new feature in Internet Explorer 9 and Firefox 6 which grays out the URL except for the domain name does make it much easier to do so.

Wanve suggested that checking the URL should become a regular habit, especially just before entering any sensitive information on a Webpage. He also recommended that users avoid clicking on links to get to a page, but to manually enter the Website address in the address bar when possible.

Users who get tricked into entering the username and password on this page will be redirected to the legitimate Gmail login page. This way, the victim assumes that the initial login wasn't successful and has to retry again, Wanve said. Even if the victim catches on and relies it was a scam because Gmail didn't display an error message, it's already too late as the data has been transmitted to the malicious server and saved.

Rocket Fuel