Thanks for the add? A researcher has exploited a security hole in Google Public Service Search to create an ingeniously deceptive phishing attack that looks like it’s hosted on Google’s domain.
The fake service, Gmail Plus, which purports to be Gmail + Orkut, doesn’t actually capture your user ID and password. Instead, it delivers a “You (could have) gotten served” message when you enter information into the sign-in form.
For safety’s sake, if you test his exploit, don’t enter your real data.
Eric Farraro discovered the exploit while adding a legitimate Google search box to a Web page at work.
“I began to use Javascript to modify the DOM, allowing me to change the search box on the results page. Then I had another idea… I knew that my header was rendered first, then Google’s results, then the footer. I decided to encapsulate the Google search results by placing them in a DIV tag, then closed the DIV tag in the bottom. Right after that, in the footer, I used the Javascript ‘document.getElementById(divID).innerHTML’ property, and essentially, hid all of Google’s search results. I realized that I had created a blank slate, hosted at a Google.com address.“
Farraro notified Google of the exploit, and Google has since removed the Public Service Search log-in.
Google has been the target of phishing exploits before. In July, Websense security labs reported that phishing attacks had increased in sophistication after the debut of Google Checkout.
Don’t forget to check out this Google research paper from January titled “Limits to Anti-Phishing.”