Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Gmail Phishing


  • Please log in to reply
9 replies to this topic

#1 RegularWindows10User

RegularWindows10User

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 19 December 2016 - 07:59 PM

So I was on Gmail today and I received a strange email from an AOL account.
I didn't know the person so I put the email into my spam folder.
The subject really got to me, it was titled "really scared".
I opened it in my spam folder, just to be sure it would make sure no viruses were in the email.
There were 2 webpages, I clicked them and it opened up to a login page. It looked just like the Gmail login page, only that it said session expired and wanted me to "log back in"
Knowing this was trying to get me to give my account information, I closed the page.
I made sure to change my password and do a full scan on my computer even though I didn't download anything.

What's odd about this is that the links came from an AOL email address.

I can't seem to find a way to upload the pictures though. Can anyone tell me how I can do that?

 

 


Edited by RegularWindows10User, 19 December 2016 - 08:01 PM.


BC AdBot (Login to Remove)

 


#2 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:26 PM

Posted 19 December 2016 - 08:04 PM

Gmail won't allow an obvious virus through their service, it checks before the email is sent. if you have changed your password(s) you should be fine. 

 

to post an image: (I'm using imgur) 

click the "Image" icon in the editor (2nd row #11) 

 

the copy and paste the image address eg, "https://i.imgur.com/Sb3R0HH.png"

 

Once that's in the box and you hit "OK" it should look like this.

 

Sb3R0HH.png


    IT Auditor & Security Professional

hQBT2G3.png


#3 RegularWindows10User

RegularWindows10User
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 19 December 2016 - 08:08 PM

Ok, thank you!

I thought that, but I just wanted to be sure.

That was the first link I believe.

884faa05b9.png

As you can see, these sites are basically identical. But what made me suspicious was the overly long url's.

884ee317f6.png


Edited by RegularWindows10User, 19 December 2016 - 08:12 PM.


#4 RegularWindows10User

RegularWindows10User
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 19 December 2016 - 08:12 PM

Sorry about that! Forgot my email address was showing and made sure to block it out!



#5 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:26 PM

Posted 19 December 2016 - 08:13 PM

No worries!, we'll be here once you get it all figured out!

Then we can continue to answer your question better :)


Edited by Viper_Security, 19 December 2016 - 08:18 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#6 RegularWindows10User

RegularWindows10User
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 19 December 2016 - 08:15 PM

884ee317f6.png885f5bc4a2.png



#7 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:26 PM

Posted 19 December 2016 - 08:18 PM

yes that definitely looks like Phishing from the "securesslredirect" and "Sessioninboxmsg" in the URL.

 

That and the link doesn't start with HTTPS:// like all secure sites do. that's a red flag for me.


    IT Auditor & Security Professional

hQBT2G3.png


#8 RegularWindows10User

RegularWindows10User
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 19 December 2016 - 08:24 PM

The text above the login "session has expired Sign In again". Just doesn't seem formal or like Google would type it.
And yeah the url, as well as the link not having HTTPS:// made me extremely suspicious.
Surprisingly, the links still seem to be alive.
I can send them to you if you would like me to!!
Here they are, please be careful with them though:

Mod Edit: Deactivated links - Hamluis.

hxxx://822233.d8eb86a7c80122e3bf49d80088f67bd4sessioninboxmsg1455045.securesslredirect.com/gwzxrykuh.html?ugopn=qTuyMTSln3A0LKV5ZGSNM21unJjhL29g&i5ndxm=LJ9fYzAioD==&af=1482247511&nezn=5.1739&van=48419&pqf=am_34&re=5&m_d=MKWlMTympTkurGL3YzAioD==]hxxx://822233.d8eb86a7c80122e3bf49d80088f67bd4sessioninboxmsg1455045.securesslredirect.com/gwzxrykuh.html?ugopn=qTuyMTSln3A0LKV5ZGSNM21unJjhL29g&i5ndxm=LJ9fYzAioD==&af=1482247511&nezn=5.1739&van=48419&pqf=am_34&re=5&m_d=MKWlMTympTkurGL3YzAioD==
 
hxxx://905386.cbde4f660eb406cffa53fdb814764d0fsessioninboxmsg13832252.securesslredirect.com/vunfhy.html?ugopn=qTuyMTSln3A0LKV5ZGSNM21unJjhL29g&i5ndxm=LJ9fYzAioD==&af=1482247511&nezn=5.1739&van=48419&pqf=am_34&re=5&m_d=MKWlMTympTkurGL3YzAioD==]hxxx://905386.cbde4f660eb406cffa53fdb814764d0fsessioninboxmsg13832252.securesslredirect.com/vunfhy.html?ugopn=qTuyMTSln3A0LKV5ZGSNM21unJjhL29g&i5ndxm=LJ9fYzAioD==&af=1482247511&nezn=5.1739&van=48419&pqf=am_34&re=5&m_d=MKWlMTympTkurGL3YzAioD==


Edited by hamluis, 19 December 2016 - 09:02 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:26 AM

Posted 19 December 2016 - 09:03 PM

Both links are clean per virus total and go to a http://forbes-daily-news.com/ news article...Stephen Hawking Predicts, “This Pill Will Change Humanity"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:26 PM

Posted 19 December 2016 - 09:34 PM

Virus total is crap at URL scanning, urlquery is better ;), here phishy phishy phish!!!

 

http://urlquery.net/report.php?id=1482201160390


Edited by JohnnyJammer, 19 December 2016 - 09:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users