The incredibly clever technique involves a fake but convincing and functional Gmail sign-in page.
A sophisticated new phishing technique that composes convincing emails by analyzing and mimicking past messages and attachments has been discovered by security experts.
Discovered by Mark Maunder, the CEO of WordPress security plugin Wordfence, the attack first sees the hacker send an email appearing to contain a PDF with a familiar file name.
That PDF, however, is actually a cleverly disguised image that, when clicked, launches a new tab that looks like this:
It’s the Gmail sign-in page, right? Not quite. A closer look at the address bar will show you that all is not quite as it seems:
Unfortunately, the attack’s imitation of the Gmail sign-in page is so convincing that many users will automatically enter their login details, simultaneously surrendering them to the hackers, who can proceed to steal your data and use one of your past messages to compromise another round of Gmail users.
In an example described by a commenter on Hacker News, the hackers emailed a link disguised as an athletics practice schedule from one member of the team to the others.
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list,” added the commenter.
Impressive as the attack is, there are ways to protect yourself.
The most obvious giveaway is that the legitimate Gmail sign-in page’s URL begins with a lock symbol and ‘https://’ highlighted in green, not ‘data:text/html,https://’. However, if you hit the address bar, you’ll also see that the fake page’s URL is actually incredibly long, with a white space sneakily hiding the majority of the text from view.
Maunder also recommends enabling two-factor authorization on Gmail, which you can do here.
“We’re aware of this issue and continue to strengthen our defenses against it,” Google said in a statement after this article was published.
“We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”
The Independent. Independent Digital News and Media, n.d. Web. 03 Feb. 2017.