A Gmail phishing push is clever enough to have almost tricked or successfully fooled multiple complicated users.
The attack, which other contributors to The State of Security be struck by spotted, begins when a Gmail user receives an email. Oftentimes, the declaration comes from someone they know whose account has already been compromised. The email surfaces to contain a PDF attachment. In actuality, the “attachment” is an embedded image designed to gull the user into clicking on it. Doing so opens a new tab in the user’s browser, where they are prompted to ideogram into their Gmail account using a legitimate-looking sign-in bellman.
Upon entering their credentials, attackers can in most cases garner access to the victim’s Gmail account.
One victim explains what finds next on Hacker News:
“The attackers log in to your account immediately on a former occasion they get the credentials, and they use one of your actual attachments, along with one of your realistic subject lines, and send it to people in your contact list.
“For standard, they went into one student’s account, pulled an attachment with an athletic together practice schedule, generated the screenshot, and then paired that with a conditional on line that was tangentially related, and emailed it to the other members of the athletic pair.”
Fortunately, this scam isn’t undetectable. The location bar uses “data URI” to number a complete file (the phishing page) in the browser. You can tell by the fact that the laying lists “data:text/html,” before “https://”.
But there’s a enigma. The phrase “accounts.google.com” is clearly visible in the file’s address. This orchestration is enough to fool most non-techie recipients and has almost tricked on the level some technical users.
This is the closest I’ve ever come to assailing for a Gmail phishing attack. If it hadn’t been for my high-DPI screen occasioning the image fuzzy… pic.twitter.com/MizEWYksBh
— Tom Scott (@tomscott) December 23, 2016
Others believed they’ve not been so lucky in blogs or comments.
To its credit, Google has burgeoned wise to this phishing scam and has instituted measures designed to defend Chrome users. Wordfence’s Mark Maunder, who originally came across the scam, elaborates on that cape in a blog post:
“Chrome has resolved this issue to my satisfaction. Earlier this month they noticed Chrome 56.0.2924 which changes the location bar behavior. If you now view a text URL, the location bar shows a “Not Secure” message which should help owners realize that they should not trust forms presented to them via a facts URL. It will help prevent this specific phishing technique.”
To screen themselves against phishing attacks that are as clever as this one, owners should verify both the hostname and protocol before they come in any personal information on a web page. They should also enable two-step verification (2SV) if the mug is available for their accounts. That way, an attacker won’t be able to compromise their account despite if they obtain their password.