14 DAY TRIAL // Reports coming in from China suggest that an ongoing phishing attack targeting Gmail users in the country might employ some form of DNS hijacking.
According to New Tang Dynasty Television (NTDTV) [via Google Translate], when trying to access Google's email service by typing www.gmail.com into the browser address bar, users affected by this attack are redirected to a fake copy of the Gmail login page.
The fake page is hosted on a server (124.117.227.201) that is not owned by the search giant and loads content from a mail.google.com-sFmail-[LONG_PART]-ServerLogin.beij900.ndns01.com address.
Ndns01.com was registered through Xin Net Technology, a Chinese domain registrar commonly used by spammers and phishers.
In addition to the being redirected when typing the Gmail address manually, users are reporting the same unusual behavior when trying to access the service via the Google Toolbar.
This kind of hijacking can be achieved in several ways, one being to poison the DNS entry for gmail.com at ISP level.
Normally such an attack would be very difficult to pull off and due to its large impact it would probably be detected very fast.
However, we are mentioning it because China Netcom (CNC), one of the country's leading ISPs, has had its DNS servers compromised before.
But changing where a particular domain points can also be done at the home router or operating system level.
There are several pieces of malware, known as DNS hijackers, which are known to do this by adding static entries to the Windows hosts file or by adding rogue DNS servers to the network settings.
Finally, a third method of achieving this behavior would be from the browser. Depending on the type of browser, this could be done by using a rootkit to hook into its process or by installing a malicious extension.
A few months ago, Google has activated SSL for Gmail by default. Unless deactivated on purpose, users should make sure the address always starts with https:// and that all visual cues (locket, etc.) associated with SSL use are present, before logging into the service.
You can follow the editor on Twitter @lconstantin