Gmail phishing scam 'highly effective' even on experienced users

MANILA, Philippines – A new phishing scam targeting Gmail users was revealed by Wordfence, the security team behind online publishing platform, Wordpress. 

Describing it as "highly effective," the attack is carried out through email. An attacker will send a target an email containing an attachment. When the target opens the attachment, they are led to a Google sign-in page that appears authentic. The target, thinking they're just being asked to log in again, types in the password. 

The attacker gains the password, and logs in to the victim's account. The cycle continues as the attacker uses the compromised account to send malicious emails to people in the victim's contact list. That's why the attack has "gained popularity" among hackers the past year: targets think they're opening content from a trusted contact.

Making the attack more insidious, the attacker attempts to copy the victim's personality by using subject lines the victim would use. The attacker would also take screenshots of content already in the email and pass those around to contacts, increasing the chance that the attachment would be opened. Wordfence mentioned one compromised student's "team practice schedule" being passed around to teammates. 

The security team noted that the attackers part of this scam act very fast either with an automated process or with a live team standing by to process accounts quickly.

Fake log-in page 

Wordfence said that the new phishing technique is duping even experienced, technical users – the kind who's already aware of attacks designed to extract valuable information through online trickery. 

What makes the recently uncovered technique so much more dangerous is that the location bar shows the text string "accounts.google.com" – a legitimate Google page. However, in this phishing attack, there's a text string ("data:text/html") preceding "accounts.google.com." 

There's also another large chunk of text appearing on the far side of the location bar, which is the file that ultimately sends one's credentials to the attacker. 

These hard-to-spot text strings differentiate the phishing log-in page from the legitimate sign-in page. Most will see "accounts.google.com", believe it's the real thing and continue with the log-in. 

Prevention

Wordfence provided advice on how to avoid being victimized by this phishing attack: 

"Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page." 

They also advocated for the use of 2-step authentication, which uses a secondary verification mechanism for users, and to regularly change passwords. Two-step authentication can be activated here.  

Wordfence also received word from Google regarding the attack. The tech giant acknowledged it and said that they're strengthening their defenses against it.

"We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more," said the Google representative. 

Wordfence suggested that Google should incorporate a design that allows users to easily identify the malicious, hidden text strings seen in these attacks – similar to the way that the Google Chrome browser labels insecure "https" pages in red and secure, trusted ones in green. – Rappler.com

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.

image