Victims are sent a spoofed email directing them to a fake Gmail login page
A highly effective phishing attack is targeting Gmail users and attempting to steal login credentials, according to Mark Maunder, founder and CEO of WordPress security plugin Wordfence.
The attack works by the hacker first sending an email to your Gmail account, most likely from someone you know who has already had their account hacked, containing what looks like an image attachment.
Instead of showing a preview, clicking on the image opens a separate fully-functional yet fake Gmail page prompting you to sign in again which, if you do so, gives the attacker full access to your account.
“The attackers signing into your account happens very quickly,” writes Maunder. “It may be automated or they may have a team standing by to process accounts as they are compromised.
“Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.”
Once logged in, the hacker will use an actual attachment from your email history, along with an actual subject line and send it on to people in your contact list. This of course will appear totally normal to the next set of unsuspecting victims, which is why phishing attacks such as this one generally have such high success rates.
To protect yourself against this attack, Mauder advises users to always check that the location bar in your browser starts with ‘https://…’ rather than anything else, something which has caught out several technical users in this attack specifically.
Furthermore, checking that only the green lock symbol and ‘https://’ appear before the hostname ‘accounts.google.com’ and enabling two-factor authentication will also help to defend against the phishing scam.
Mauder contacted Google for comment on the matter and received the following statement: “We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”
The spokesman also indicated that there will be updates included in future releases of Chrome and Gmail to help defend against this type of attack.