Oiwan Lam writes about ISP level phishing attempts, at Global Voices Advocacy:
In the past few days, there are many reports from Chinese internet users saying that when they try to access gmail account, they are redirected to a url: http://18.104.22.168/web/gmail/
and asked to re-enter their password.
Today NTDTV.com disclosed that the url is a phishing page for stealing users’ password. It is believed that local ISPs are involved in the phishing activities.
The phishing website looks exactly the same with Gmail but the server is from Urumqi.