Google took down a recent phishing campaign that was abusing Goo.gl short URLs and an older data URI trick to mask the page’s real URL and fool victims into thinking they were on the actual Google login page.
According to, who analyzed this recent phishing campaign, crooks were spreading around a Goo.gl short URL, now taken down, which was redirecting users to a page on the nwfacilities[.]top domain.
Data URIs used for URL spoofing phishing scams
The problem was that this page contained source code that would refresh the page and replace its original URL with one that read, “data:text/html,https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue.“
Except the “data:text/html” mention at the start of the URL, this is the actual, real-life link to the Google login page.
The nwfacilities[.]top would also load an iframe that covered the entire page, which was a carbon copy of the Google login page, but with one difference: the form’s submit URL was sending all the data to the crook’s servers.
Trick is somewhat effective, works only in Chrome
Even somewhat tech-savvy users would have a hard time detecting this phishing campaign, mainly because the URL contained the real Google login page.
Nevertheless, in the case of login pages, users should always keep in mind that the only prefix accepted to this kind of pages is “https://” and only “https://” and not any kind of data URI like “data:text/html” or others.
Fortunately, data URIs don’t work across all browsers, since they’re not universally supported in the same way. This particular page was effective only in Google Chrome and some Firefox versions.
Using data URIs for phishing is a very old trick,in the late 2000s, and by a researcher from the University of Oslo in Norway in 2012, when he created one of the first page-less phishing campaigns.