- Oct 23, 2012
- 12,527
A new wave of phishing attacks launched at Gmail users has been spotted online, but this time cybercriminals are using a more sophisticated technique that’s pretty difficult to spot at first glance.
Specifically, attackers are now sending emails to Gmail users with embedded attachments that look like images and which require just a click to launch what is supposed to be a preview of the picture.
Instead, the attachment opens a new tab in your browser that requires a re-login. When inspecting the typical elements that could point to a phishing scam, such as the address bar, everything looks legit, as in this case the URL is the following: “data:text/html,https://accounts/google.com.”
So naturally, most users would provide their Gmail credentials, but as WordFence reports, once you do that, the account is compromised.
Specifically, attackers are now sending emails to Gmail users with embedded attachments that look like images and which require just a click to launch what is supposed to be a preview of the picture.
Instead, the attachment opens a new tab in your browser that requires a re-login. When inspecting the typical elements that could point to a phishing scam, such as the address bar, everything looks legit, as in this case the URL is the following: “data:text/html,https://accounts/google.com.”
So naturally, most users would provide their Gmail credentials, but as WordFence reports, once you do that, the account is compromised.
Surprisingly, the hacked Gmail account is almost instantly accessed in order to retrieve the contacts and then uses the same phishing email to spread the attack. Using email addresses from a person’s contacts can make emails look even more legitimate, thus helping compromise a bigger number of accounts.
Most likely, the access is automatically performed by a bot, but there’s also a chance for attackers to do the whole thing manually in order to collect email addresses.
How to detect the phishing attacked
The easiest way to determine that a message is a phishing attack or not is by looking in the address bar. As we’ve told you before, attackers were particularly focused on ways to make the URL look more legitimate, but in reality, there are a lot of white spaces that you can remove to check out the end of the address.
If you do that, you can notice that the URL ends with a script that’s supposed to launch the new tab and point the browser to the phishing page used to steal login credentials.
Google has already offered a response, according to the aforementioned source, but it’s not what you think, as the company doesn’t seem to be too keen on blocking the attacks.
“The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are – obviously – trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any httppage just as well,” the firm said.
The easiest way to keep your account secure, even if you fall for this phishing attack, is to enable two-factor authentication for Gmail, which means that in case you do provide your login credentials on the phishing website, the attacked shouldn’t be able to access your account anyway.