Gmail Phishing Scam
By Mark Phillips ¦ Blog.TotalAV.com ¦ Updated 25th April 2017, 06.514 EDT
Phishing scams have long been plaguing email providers and their millions of users, and Gmail is the latest to take a hit from hackers. Described as one of the most convincing to date, the scam lures unsuspecting users into entering their login information, enabling their messages to be read by hackers.
Users unwittingly compromise their account security by opening a malicious email attachment that can come from a known contact within the user’s address book. The attacker may have copied that contact’s writing style and speech pattern in order to gain the recipient’s trust.
The bogus email contains an image attachment that looks like a harmless PDF file. Once the attachment is opened, the user is seamlessly directed to a phishing page that is disguised as Google’s non-threatening sign-in page.
If user logins are entered, their Gmail account is immediately compromised. The attacker can now sift through the Sent Messages folder, learn the user’s writing style, and then continue to spread the scam, emailing the attachment to the user’s remaining contacts.
Google normally warns users when they land on precarious web pages, but the phishing page in this instance fails to trigger the tech giant’s HTTPS security warnings.
Mark Maunder, CEO of Wordfence (a WordPress security service), was the first to discover the attack. Maunder stated that the scam has deceived even “experienced technical users”, stressing the highly deceptive nature of the scam.
An IT administrator, whose school suffered from the attack, described their own experience. “The attackers log in to your account immediately once they get the credentials, and use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.
“[The hackers] went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
Maunder and other experts warn that a user’s account will be accessed very quickly, that the process may be automated, or that the hackers have a team ready to log in to compromised accounts. Maunder also explains that, now in control of the account, the hacker can do further damage by executing password resets associated with other services.
Luckily there are ways to avoid becoming a victim. Users can enable a two-factor authentication, and should ensure the prefix ‘data:text/html’ (a sign of a precarious page) isn’t in the browser address bar before logging in, Maunder urged.
“Make sure there is nothing before the host name ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green colour and lock symbol that appears on the left. If you can’t verify the protocol and hostname, stop and consider what you just clicked on to get to that sign-in page.”