Thanks for the add? A researcher has exploited a security hole in Google Public Service Search to create an ingeniously deceptive phishing attack that looks like it’s hosted on Google’s domain.
The fake service, Gmail Plus, which purports to be Gmail + Orkut, doesn’t actually capture your user ID and password. Instead, it delivers a “You (could have) gotten served” message when you enter information into the sign-in form.
For safety’s sake, if you test his exploit, don’t enter your real data.
Eric Farraro discovered the exploit while adding a legitimate Google search box to a Web page at work.
Farraro notified Google of the exploit, and Google has since removed the Public Service Search log-in.
Google has been the target of phishing exploits before. In July, Websense security labs reported that phishing attacks had increased in sophistication after the debut of Google Checkout.
Don’t forget to check out this Google research paper from January titled “Limits to Anti-Phishing.”