Via @torproject comes a link to a China Digital TImes (a site run at Berkeley) that gives just a brief notice that some users behind the GFW are having their gmail login attempts redirected to hxxp://18.104.22.168/web/gmail/ where they are asked to enter their password. Chinese users reporting this redirect believe that the redirects are being performed by the ISP. Interestingly, 22.214.171.124 is a CNC host in Xinjiang.
At the time of this post the hxxp://126.96.36.199/web/gmail/ site is not operating (from the US or the PRC according to webpulse).
The original info apparently came from ntdtv:
UPDATE: I was looking closely at the screen cap that shows the source and it appears that part of the phishing app is hosted on ndns01.com, which doesn’t presently have an IP address assigned although the DNS record was updated on August 10.