Phishing Trick Targeting Google Relies on Data URIs to Mask the Page’s Real URL

Google took down a recent phishing campaign that was abusing short URLs and an older data URI trick to mask the page’s real URL and fool victims into thinking they were on the actual Google login page.

According to My Online Security, who analyzed this recent phishing campaign, crooks were spreading around a short URL, now taken down, which was redirecting users to a page on the nwfacilities[.]top domain.

Data URIs used for URL spoofing phishing scams

The problem was that this page contained source code that would refresh the page and replace its original URL with one that read, “data:text/html,

Except the “data:text/html” mention at the start of the URL, this is the actual, real-life link to the Google login page.

The nwfacilities[.]top would also load an iframe that covered the entire page, which was a carbon copy of the Google login page, but with one difference: the form’s submit URL was sending all the data to the crook’s servers.

Trick is somewhat effective, works only in Chrome

Even somewhat tech-savvy users would have a hard time detecting this phishing campaign, mainly because the URL contained the real Google login page.

Nevertheless, in the case of login pages, users should always keep in mind that the only prefix accepted to this kind of pages is “https://” and only “https://” and not any kind of data URI like “data:text/html” or others.

Fortunately, data URIs don’t work across all browsers, since they’re not universally supported in the same way. This particular page was effective only in Google Chrome and some Firefox versions.

Using data URIs for phishing is a very old trick, pioneered in the late 2000s, and eventually perfected by a researcher from the University of Oslo in Norway in 2012, when he created one of the first page-less phishing campaigns.

Phishing page in action, notice the page’s URL


Would you click on this? Fake email targets employees in computer security test

Imagine you receive an email at work announcing you’re getting raise.


To get it in your next paycheck, you simply have to click a link, then enter your employee ID number, your date of birth, and your home zip code.

Roughly one quarter of 5,000 employees of Atlantic Health System who received that message opened that enticing email recently, and two-thirds of those who opened the email went on to provide the information required for the raise, according to a company email which was forwarded to NJ Advance Media anonymously.

It turned out to be a computer security test run by the hospital system on its own employees.

Not everyone is happy about the test. One anonymous employee described it as the company lying to employees about a pay increase in order to conduct its test, and said employees were “angered” by the deception.

A spokesman for the five-hospital system apologized for dangling the prospect of a raise in front of employees – but not for conducting the security test itself.

“We do acknowledge that the email was upsetting to people, and we do apologize for that,” said Robert Seman, a spokesman for Atlantic Healthcare. “Our intention was not to antagonize, but to test our strength if we were attacked by criminals.”

Atlantic runs hospitals in Morristown, Summit, Pequannock Township, Hackettstown and Newton.

Hospitals have proved to be a favorite target of “phishers,” or cybercriminals who set up emails or entire websites that mimic reputable companies.

While some phishing attacks are designed to get credit card data from customers, attacks on hospitals are designed to get into the system through employee accounts.

Once there, the hackers can shut down access to all patient information until paid a ransom – often in bitcoins, the untraceable online currency. One small Los Angeles hospital paid $17,000 last February to regain access to its own computer system, according to published reports.

The fairly new technique installs what is called “ransomware,” which now accounts for 93 percent of phishing attacks, according to the security website

Rowan University attacked by ransomware

Cyber experts say hospitals have proved to be particularly vulnerable because of their rush to convert to digital medical records, a switchover pushed by the Affordable Care Act.

“The cyber criminals are getting more and more ‘authentic’ in their methods, so we have to utilize what we’re seeing out there in our tests,” Seman said. “This is mimicking what we’re seeing coming in.”

The prospect of a salary increase was used in order to make the email test enticing, wrote Kevin Lenahan, chief financial and administrative officer, in a follow-up email to all employees.

“Likewise, we took measures to ensure that the fabricated phishing emails looked authentic,” he wrote. “For example, we used our AHS logo, an element included in past attacks by actual cyber criminals.”

Seman said the email was sent from a URL that was a variation of the corporate one, and even ended in “.com,” which should’ve been a tip-off to alert employees. The health system’s real website ends in “.org.” An outside security company prepared the test, he said.

Seman said those employees who were angered by the false enticement of a raise conceded security testing was necessary, but felt using a raise as bait was unnecessary. The hospital will avoid that tactic in the future, Seman said. 

The bogus data request was sent to 5,000 randomly selected employees, or about a third of the health system’s 15,000 employees working at its five North Jersey hospitals.

Nearly ten percent of the employees reported the email as suspicious, and many employees warned their co-workers against clicking on the link or providing any personal information, according to Lenahan’s email to employees.

While the company has the names of the employees who responded to the fabricated email, it indicated it did not collect or share the personal information they entered. Those employees are not in any trouble for having failed the security test, Seman said. If anything, all employees might receive extra security training at some point as a result of the exercise, he said.

The follow-up email ends with a reminder: “Please remember that AHS will never solicit confidential, personal information via email.”

Kathleen O’Brien may be reached at Follow her on Twitter @OBrienLedger. Find on Facebook.


HRH warns of phone phishing scam

Hendricks Regional Health officials have become aware of a phone scam currently circulating in Hendricks County. This particular phishing scam is aimed at attempting to solicit personal financial information over the phone from residents in the community. The scammers are representing themselves as HRH and are asking callers to provide their credit card information. In some cases, the perpetrators are offering new credit card terms to individuals.

Hospital officials want area residents to know:

• These calls are not legitimate and HRH will never call to ask a patient for their credit card information over the phone.

• Residents that receive a phishing call are encouraged to report it to local law enforcement. Authorities will want to know the phone number called, date and time the call was received, as well as the information the caller requested.

• The Federal Trade Commission offers tips for consumers on how to handle these types of fraudulent calls. For example, if someone gets a call from someone they don’t know who is trying to get personal information, say, ‘no thanks’ and hang up. Do not attempt to argue with the caller.

Anyone who receives one of these calls should report it to local law enforcement authorities immediately. HRH is actively monitoring the situation and will provide further updates to the community as needed.