In the present article we see an analysis of an AT&T phishing page delivered via a Google Docs URL.
Main points of the analysis:
- AT&T Phishing page
- Delivered with Google Docs
- Credit card data requested
hxxps[://]docs[.]google[.]com/drawings/d/1yKHYkUdmpSY9wiAcWubAGBRozW5aEJlMhZQxwWal-jw/preview
Once clicked on the "Sign In" button we can see a redirect to the domain at-inf-serv[.]budvacations[.]forex through a grs[.]ly navigation:
An URL with the billing ID as parameter is called:
A lot of personal and sensitive information and details are requested:
Here we can see the response of the POST request:
Finally, credit card details are requested for insertion:
In my test of the phishing page there is a final error and redirect to the real AT&T page:
At the time of writing of this article only Fortinet detects the domain of the phishing page as malicious:
