Attacks/Breaches

1/17/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Dangerous New Gmail Phishing Attack Gaining Steam

None of the usual browser indicators of fraudulent websites are present in this method of phishing.

[UPDATED 1/18/17 1:05pmET with comment from Google]

One of the best ways to tell if a website that is asking for your username and password is genuine or not is to look at the address bar in your browser that points to the site's true origin. But sometimes that simple precaution isn't enough.

A case in point is a dangerous phishing technique targeting Gmail users that first surfaced about one year ago but has begun gaining steam in recent weeks.

Wordfence, the maker of a security plugin for Wordpress, described the phishing attack as beginning with an adversary sending an email to a target’s Gmail account. The email typically will originate from someone on the recipient’s contact list whose own account had previously been compromised.

The email comes with a subject header and a screenshot or image of an attachment that the sender has used in a recent communication with the recipient. When the recipient clicks on the image, a new tab opens with a prompt asking the user to sign into Gmail again.

The fully functional phishing page is designed to look exactly like Google’s page for signing into Gmail. The address bar for the page includes mention of accounts.google.com, leading unwary users to believe the page is harmless, Wordfence CEO Mark Maunder wrote. "Once you complete sign-in, your account has been compromised," he said.

In reality, the fake login page that opens up when a user clicks on the image is actually an inline file created using a scheme called Data URI. When users enter their Gmail username and password on the page, the data is sent to the attacker.

Maunder pointed to comments on discussion boards, which have noted that attackers log into a compromised account as soon as they obtain the credentials for it. The speed at which the attackers sign into a compromised account suggest that the process may be automated, or that they may have a team standing by to access accounts as they get compromised.

"Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," Maunder said.

What makes the phishing technique dangerous is the way the address bar displays information when users click on the screenshot of the attachment, he told Dark Reading. Normally, users can easily spot spoofed websites and pages by looking at the address bar in the browser.

In this case, by including the correct host name and “https//” in the address bar, the attackers appear to be having more success fooling victims into entering their credential data on the fake Gmail login page, he says.

The usual green and red indicators that inform users when they are on a safe or unsafe website are not present. Instead, all of the content in the address bar is of the same color and is designed to convince users that the site is harmless.

The only indication that something is awary a string ‘data.text/html’ in the address bar just before the usual ‘https://accounts.google.com,' Maunder said. "If you aren’t paying close attention, you will ignore the ‘data:text/html’ preamble and assume the URL is safe."

Google said in a statement that it's working on mitigations to such an attack. "We're aware of this issue and continue to strengthen our defenses against it," Google said. "We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."

Wordfence's Maunder says the attack shows why users should verify both the protocol and the hostname in the address bar when signing into a website. Users can also mitigate the risk of their accounts being compromised via phishing by enabling two-factor authentication.

"What makes this unique is the fact that none of the traditional browser indicators that would identify a possible fraudulent site are present," says Robert Capps, vice president of business development at NuData Security.

"Users have been trained to look for the presence or absence of browser indicators," such as the HTTPS:// and lock icon in the URL, Capps says. Google has gone a step further with Chrome by specifically highlighting when a website poses a risk via a security notification.

"Many users, including those that identify as being technically savvy, have become accustomed to looking for these risk indicators, and when not present, assume it is safe to interact with the website," Capps says.

The attack underscores the need for Web browser makers to rethink the trust signals they use to inform users about a danger webpage or exploit. "How users interpret these signals should be thoroughly understood," he says. "Entraining users to rely on signals may have unintended consequences that attackers can use to exploit customers."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.