Wordfence researchers are warning of a new and unusually effective phishing scam designed to steal login credentials from Gmail users, though it’s also been seen targeting users of other services (h/t The Register).
An email is sent to a target’s Gmail account, often from someone they know whose account has been hacked using the same technique, including an image of an attachment the recipient will likely recognize from the sender.
“You click on the image, expecting Gmail to give you a preview of the attachment,” Wordfence CEO Mark Maunder explains in a blog post describing the attack. “You glance at the location bar and see you accounts.google.com in there.”
Instead, you’re redirected to a valid-looking Gmail sign-in page. Sign in, and your account has been compromised.
A victim reported on Hacker News that the attack was the most sophisticated they’d ever seen. “The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list,” the victim wrote.
Of course, Maunder notes, once the attackers control your email address, they can use it to compromise other services you use by requesting a password reset.
To protect yourself, Maunder suggests, don’t just check the URL in your browser — for this attack to work, https:// is replaced with data:text/html. “If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe,” he writes.
“You are probably thinking you’re too smart to fall for this,” Maunder writes. “It turns out that this attack has caught, or almost caught, several technical users who have either tweeted, blogged or commented about it.”
Lastline CMO Bert Rankin told eSecurity Planet by email that constantly evolving and improving phishing attacks are unfortunately now a way of life for all of us. “For those enterprise IT administrators with the mission of protecting the organization, education of the employees is not enough,” he said. “It takes just one accidental well-meaning click on a malicious email to inflict irrevocable damage to the whole of the organization.”
“In addition to employee education and awareness about how phishing attacks work and how to check a suspicious email, it is an imperative that IT put filtering mechanisms in place that use technology — not people — to sort, test and eliminate such malicious emails before they even have a chance to test the eyes of the employees,” Rankin added.
And Prevalent director of product management Jeff Hill said by email that there’s unfortunately no longer any effective defense for a well-conceived phishing attack. “Reliance on email communication, the sheer volume of it, and the frenetic pace of life combine to create a superbly fertile environment for cyber attackers to exploit,” he said.
“In the corporate environment, relying on external defenses to prevent an intrusion is a foolish, head-in-the-sand approach to cybersecurity, something InfoSec professionals are well aware of,” Hill added. “The challenge is to detect the intrusion quickly after the inevitably successful phishing attack, shut it down, and make it very difficult for bad actors to access sensitive information in the interim even if they gain access the network.”
A recent eSecurity Planet article offered advice on securing corporate data in a post-perimeter world.
(UPDATE: Google provided the following official statement regarding the scam: “We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”)