Getting Phished

I just got phished.

I received a suspicious PDF in email. It had a name that made it sound like something I might personally be interested in from someone I met about a year ago. No idea if that was luck or by design. Even scarier if it was by design. The email looked like this

Notice it looks like a PDF attachment. There’s only 2 subtle things wrong. One is it’s low-res. The normal PDF attachment icon is an HTML construction which on my MacbookPro would look higher res. Compare the filename DOC-201607014.pdf to the text in the email itself.

The second is if I hover the mouse pointer over the PDF image the URL is wrong in the bottom left corner.

Why I didn’t notice those, especially that second one, I have no idea.

Instead I thought, “Well, it is from someone I know. Since I can preview it through gmail without downloading it I’ll click it and look at the online preview”. So I clicked it.

It led to this page

Which looks like Google’s login. Instead it’s a faked up URL containing embedded in the URL. Again the URL starting with data:text/html, should have given it away but I saw the after and had a brain fart. Again, no idea why I didn’t notice that. Also on top of that, given parts of it are images they’re again low-res instead of the normal high-res for my machine. If I had been on a low-res machine that difference would not have appeared.

In any case because Google from time to time does ask me to login again I just typed in my email and password. The fact that the email address wasn’t already there should have also be a clue but just yesterday I had to clear my browser cache so I was willing to accept that maybe it needed me to re-type that too.

Only after it failed and didn’t ask for my 2 factor authentication I realized I had just been phished. I immediately changed my Google password. Fortunately my google password is not used on any of my other accounts.

It’s so scary that it was so easy to fool me. I’d guess most non-techies would fall for this too and most non-techies don’t have 2 factor on so they’d have been owned immediately. Not that 2 factor would completely save me. A more sophisticated phishing should have displayed the 2 factor form next which I probably would have entered. It would then have immediately owned my google account.


Here’s the entire actual URL if you’re curious.

The one positive thing I can do is mark it as a phishing email. I have no idea what Google does with that info. Hopefully they can mark other emails with a similar link as phishing?


  • Thanks for sharing. I really appreciate admissions like this. I didn’t blog about it, but I once also got phished for BitCoin by another very well designed lure.

  • Colin Mack

    Lesson learned. Not clicking on that link, just to be safe 🙂

  • Atanas Minev

    for the curious, the obfuscated script in the URL, that’s executed is:

    window.document.title = "You have been Signed out";
    try {
    (function() {
    var link = window.document.createElement('link');
    link.type = 'image/x-icon';
    link.rel = 'shortcut icon';
    link.href = '';
    } catch (e) {}
    window.document.body.outerHTML = "";

  • sloth77

    Yeah, its sad that 2FA is vulnerable in that fashion. I think if 2FA becomes widespread and phishers implement that level of sophistication then it will become more trouble than it is worth.

  • WoJ

    Thank you for the detailed walk-through. We all learn on mistakes, even more when someone is willing to share his 🙂
    Out of curiosity, once you “logged in” with your email and password, what was displayed? A login error? An error page? Something else? Nothing?