Blogger phishing attack uses “improved” email template

by

The Commtouch detection center has confirmed that an email I received yesterday on one of my private accounts was part of a mass phishing attack aimed at Blogger (and Google) users.  In this case I suspected it was a phishing email before opening it since I received it via an email address that is not connected to my Blogger account (and not protected by Commtouch).  The email looks like this:

blogger phishing email

 

There style of this email is interesting since it uses two techniques that effectively downplay the “phishy” nature of such an email:

1)        The very bare text style is similar to the kind of email that a reputable service would actually use nowadays.  Phishing-aware services such as PayPal, Facebook, and Blogger tend to use text-only emails with no links or images when contacting account owners – since spam engines may de-link and de-image a received message.  This is a real message recently received from PayPal (no images, text only):

google email sample

 

2)        The link is “fully displayed”.  Phishing-aware users have learnt to mouse-over underlined text (“click here”) or simple domain names in order to see the full URL.  The “exposed” complex URL in the phishing email above gives the impression that mousing-over is unnecessary.   The link naturally hides one of many URLs that look something like:

blogger.com.erdca.or.kr/update/VE.php?c=9883246018300591978521084101021546437&email=user@place.com&service=blogger

Clicking on the link brings up a reasonably well copied Blogger/Google password entry page.  Unsuspecting users entering correct account data would compromise their Blogger or, more significantly, Gmail accounts.

Blogger phishing fake real sites

 

Any email asking you to update details by clicking on a link raises phishing suspicions but this “simple” text email was well thought out.  The attack was naturally detected by the Commtouch Detection center and users of products that incorporate Commtouch Anti-Spam and/or GlobalView URL Filtering were protected.

Go back