- Global Voices Advocacy - https://advox.globalvoices.org -

Mass Gmail Phishing in Tunisia

Categories: Tunisia

Lately, Internet users in Tunisia started complaining about difficulties accessing their Gmail account, [1] and rumors began to circulate about an imminent censorship of Google's email service. Since the new wave of censorship [2] that banned popular websites, such as Flickr, Wat.tv, Blip.tv, Metacafe.com, Agoravox.fr and countless of Tunisian blogs, paranoia about internet censorship has increased and seems to be justified.

Last week, two people I'm following on twitter issued warnings about phishing attacks, with screenshots [3] showing that access to mail.google.com [4] displayed strange error messages belonging to EasyPHP [5].

Click to enlarge - Mass Gmail phishing in Tunisia [6]

Click to enlarge – Mass Gmail phishing in Tunisia

Click to enlarge - Mass Gmail phishing in Tunisia [7]

Click to enlarge – Mass Gmail phishing in Tunisia

EasyPHP [8] is certainly powerful, but in no way able to run a service such as Gmail. It became evidently clear that is was a fake Gmail login page, made up by hackers seemingly unable to properly configure EasyPHP, and acting on the entire internet network in Tunisia.

To confirm this theory, I had first to rule out the possibility of malware installed on the machine, which could have sent the browser to a fake Gmail for the purpose of stealing the password of his victims to hack into their email accounts. But it was not the case.

Next step was to see if the problem appears with the same symptoms to everyone. Following investigation, the suspicions were confirmed and I identified two cases: people who have been reglarly unable to access Gmail for weeks, and people to whom Gmail continuously asked for authentication.

Whether in the workplace or at home, the situation was the same, and interestingly, those who experienced this at their place of work indicate that when this problem happens with Gmail, everyone is affected simultaneously.

At this stage of my investigation, the assumption was that what was going on is a DNS cache poisoning [9] attack, a technique consisting deceive DNS servers (which are responsible for translating names such as mail.google.com into internet addresses), and send a user seeking to access a specific website to another one. What led me to this conclusion was the fact that I was not a victim of this attack, as I wasn't using my ISP's DNS. But I found out that the situation is actually worse than this.

A few days later, when I tried to connect to Gmail – my Gmail settings [10] are such that I only use https [11] – my browser refused to connect.

After a quick check, I found that HTTPS port 443 is blocked on all IP addresses of mail.google.com

Mass Gmail phishing in Tunisia [12]

Mass Gmail phishing in Tunisia

It was clear then that access to the secure version of Gmail was censored. Accessing Gmail through plain http (unsecure), seemed to work, but
surprisingly, it asks me to authenticate although I was already logged in for half an hour.

The fake Gmail login page [13]

The fake Gmail login page

One detail, however, caught my eye : the url I get redirected to
when I point my browser to mail.google.com :

http://mail.google.com/accountsServiceLoginservicemail&passivetrue&rmfalse&continuehttp3A2F2Fmail.google.com2Fmail2F3Fhl3Dfr26tab3Dwm26ui3Dhtml26zy3Dl&bsvzpwhtygjntrz&scc1&ltmpldefault&ltmplcache2&hlfr.htm [14]

However, this tiny detail doesn't really reveal anything for a non web developer, but the “.htm” located at the end of the address indeed betrays a phishing attempt.

That first experience with this phishing campaign on Gmail lasted only a few minutes before things returned to normal, but there was something fishy going on : the IP address was correct! (see nmap screenshot). To make such an attack, it takes full control of the Tunisian network, from the wires to the HTTP protocol. Those hackers were owning the whole country.

The hacking method was basically to block access to the secure Gmail [4] so that Tunisians are required to sign in via a non-secure Gmail [15], then divert them to a machine running a fake Gmail login page under EasyPHP, to steal their passwords and later, when needed, hack their email accounts.

Later that morning, I decided to monitor and trace this systematic phishing campaign on Gmail with the help of a cronjob which to check if port 443 was open or closed – basically, if it is closed, a phishing attack was ongoing.

After 1 day of monitoring, a pattern seemed to be emerging: the phishing happened every two hours and lasted exactly 5 minutes.

For example, here are the phishing schedules discovered in my subnet 41,226,255.* :

8:35 UTC+1
10:35 UTC+1
12:35 UTC+1
14:35 UTC+1
16:35 UTC+1
18:35 UTC+1
20:35 UTC+1
22:35 UTC+1
00:35 UTC+1
2:35 UTC+1
4:35 UTC+1
6:35 UTC+1

In the meantime I received evidence that these attacks were ongoing for months, some people were even saying for several years, while others reported that the same phishing methods are targeting Facebook and Yahoo Mail.

My advice in order to secure your Gmail account:

- the first thing to do is to enable “Always use https.” from your Gmail settings [10].

- change your password and make it difficult for others to guess. [16]

- If you are in Tunisia, don't access your Gmail account during these phishing attacks, they only last for about five minutes.