Cybercriminals are lurking around every corner of the internet, searching for their next victims. They will use everything in their arsenal to steal our personal information and money. Malware, ransomware and phishing attacks to name a few.
In many cases these fraudsters make simple mistakes, like poor spelling and grammar, that tip us off to their scams. However, there is an extremely effective phishing scam that is difficult to detect hitting and Gmail is the victim of this phishing scam that is even fooling experienced technical users.
The scam is being described as one of the most convincing yet, and tricks users into giving their Google login details, allowing the attacker to sift through their messages.
According to Wordfence, WordPress security plugin creator, the way that the attack works is that hackers send emails to the contacts of compromised accounts containing a seemingly innocuous attachment. When you click on the attachment to preview it, a new tab opens. The new tab then shows “account.google.com” and appears to be a fully functioning and safe Gmail login page but it is not. If you enter your email and password, hackers will have stolen your credentials and have full access to all of your emails.
Why would I click the attachment on a random email from someone?
Emails containing the rogue attachment can come from people in the recipient’s own address book, and attacker can even copy their style of writing, convincingly passing the fake email on to the victim’s contacts.
The fake email uses image attachments that look like a PDF file. According to WordFence:
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list. For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
Even more worryingly, the phishing pages do not seem to trigger Google’s HTTPS security warnings, which normally warn users if they land on an unsafe page. The trick to identify the bug lies in careful scrutinization of the address bar. The bug hides in plain sight but doesn’t get detected, as most users would let their guard down assuming that the webpage is Google’s protected login page after seeing ‘accounts.google.com‘ in the address bar.
To avoid this particular scam:
- One thing you can do is to always look for the lock icon next to the address bar. It’s not fool proof however.
- One should make sure that there is nothing in front of the host file name, and should verify the protocol and the host name.
- Also enabling the two-step authentication available for Gmail can stop the attack from taking place as the hacker would need the OTP (One Time Password) required for completing the login.
If you think you may have already fallen victim to the scam, change your Gmail password immediately. Then go to your account activity page and end any current sessions that you don’t recognize.
Via : Forbes