Gmail phishing attacks are nothing new, there are like thousands of them flying through the interwebs as you read this, but experts are issuing a warning concerning a new Gmail phishing attack. This attack has been effective in not only fooling regular users but also fooling tech-savvy users who are generally vigilant. The attack is carried out on a compromised Gmail account where the attacker searches for an email with attachments. Once the attacker finds a suitable email and attachment, they screenshot the attachment, use the same subject line and reply to the sender.
“You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again,” WordFence CEO Mark Maunder warns.
The redirect to the fake Gmail login page is well thought out as it contains a Google subdomain, accounts.google.com, which is why many tech-savvy users have mistaken it as legit.
“This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text,” Maunder explained.
Once you’ve entered your credentials into the fake Gmail login page, the thieves jump into action and are able to login to your Google account and wreak havoc at will, but it doesn’t end there. Once they have control over one Gmail account, they target the contacts list in that account and continue the cycle.
One of the reasons is that people can easily miss that the URL of the fake login page sports “‘data:text/html” before the usual “https://…..”.
Another reason is that the browser does not show the red warning and icon usually used by Google to point out insecure pages.
“In this [attack] the ‘data:text/html’ and the trusted hostname are the same color. That suggests to our perception that they’re related and the ‘data:text/html’ part either doesn’t matter or can be trusted,” Maunder explains, and advises Google to change the way ‘data:text/html’ is displayed in the browser.
Users should be extra careful with Gmail and attachments, two-factor authentication can’t hurt either. What do you think of this latest Gmail phishing attack? Let us know in the comments below or on Twitter, Facebook, and Google+.