Over the past year, a new and effective phishing method has been used to target Gmail and other mail services, and within the past couple of weeks there have been reports of experienced technical users even being hit by it.
The way the attack works is that an email is sent to your Gmail account. That email may come from someone you know who has had their account hacked. It will also include something that looks like an image that is attached to the email.
Since you know the sender, you may click on the attachment to preview it and a new tab will open up, prompting your to enter your Gmail sign-in information again. The sign in page looks exactly like the real Google sign in page, and the URL (address) bar shows the following in it:
Because this contains the words “accounts.google.com” many experience users have even fallen prey to this one. Someone not paying close attention or rushing through their email is more likely to fall for this as well.
How the phishing attack works.
Creating a phishing page doesn’t exactly take a lot of skill. There are tutorials online that can walk you through it step by step and it’s pretty doggone easy, even for novice web developers.
Once a hacker has created that page they are ready to put it online to steal your login credentials to any legitimate website.
Over the holiday break, a commenter on Hacker News described the following:
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
According to WordFence, in an article they published:
“The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.
Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.
Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.
What I have described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique.”
Protecting yourself against this attack.
Many people have taught themselves to always check the URL in the location bar in their browser to be sure they are on the correct website before signing in. They mistakenly think this is protection against such a phishing attack.
Since the URL had the words “accounts.google.com” it can fool people who generally avoid such attempts by checking that URL.
WordFence’s report on this attack offers many ways to make sure you are protecting yourself from this clever attack. Check that article out now.
In an official statement to WordFence from Google on January 17, 2017, they said:
“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”