There’s a new phishing campaign targeting Gmail users. Security researchers say that it’s highly effective and that even experienced, tech-savvy users are being tricked by it.
Image: Tom Page/Flickr
Whoever is behind this campaign is either employing a team that’s ready to pounce on newly-compromised accounts or their code includes some fairly sophisticated automation features. As soon as a victim submits a password, the criminals log in to the victim’s Gmail account.
Once they’re in, they start gathering information to launch secondary attacks. They’re after a couple things. First, they’ll look for an attachment that the victim has previously sent to his or her contacts and a relevant subject line from an actual sent email. Then they’ll start gathering up contact email addresses.
Those contacts become the new targets, which is a big part of what makes this attack so effective. The phishing emails are coming from someone the victim knows.
The fraudsters send over a message with a thumbnailed version of the attachment. When clicked, it doesn’t open the Gmail previewer. Instead, a convincing Gmail login box is displayed. It’s a trap.
Victims might not notice because of a clever trick employed by this attack. Instead of sending potential victims to a website that could be blocked by protections like Google’s SafeBrowsing system, clicking the attachment loads a full web page worth of code into the browser’s address bar.
Because it’s padded with whitespace, all a victim sees is the very first part — and the https://accounts.google.com is enough to convince many to let down their defenses.
Protecting Yourself Is Easy
As carefully-crafted as this attack is, there’s a very simple way to defeat it. All you have to do is enable two-factor authentication in Gmail. Unless the attackers have access to that second factor — say, your phone or a USB cryptographic key — stealing your password won’t allow them to access your account.
Another thing you can do is to always look for the lock icon next to the address bar. It’s not a foolproof way to know that you’re entering your password on a trusted site — many phishing pages are now hosted on SSL-secured servers — but it’s still a good idea to check.
If the scam sounds familiar and you fear you’ve already fallen for it, there are two other steps you should take. First, change your Gmail password. Once you’ve done that, head to the Gmail account activity page. It will show you any current sessions that are logged it and you can kick off any that you think are suspicious.