Attacks/Breaches

1/17/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Dangerous New Gmail Phishing Attack Gaining Steam

None of the usual browser indicators of fraudulent websites are present in this method of phishing.

[UPDATED 1/18/17 1:05pmET with comment from Google]

One of the best ways to tell if a website that is asking for your username and password is genuine or not is to look at the address bar in your browser that points to the site's true origin. But sometimes that simple precaution isn't enough.

A case in point is a dangerous phishing technique targeting Gmail users that first surfaced about one year ago but has begun gaining steam in recent weeks.

Wordfence, the maker of a security plugin for Wordpress, described the phishing attack as beginning with an adversary sending an email to a target’s Gmail account. The email typically will originate from someone on the recipient’s contact list whose own account had previously been compromised.

The email comes with a subject header and a screenshot or image of an attachment that the sender has used in a recent communication with the recipient. When the recipient clicks on the image, a new tab opens with a prompt asking the user to sign into Gmail again.

The fully functional phishing page is designed to look exactly like Google’s page for signing into Gmail. The address bar for the page includes mention of accounts.google.com, leading unwary users to believe the page is harmless, Wordfence CEO Mark Maunder wrote. "Once you complete sign-in, your account has been compromised," he said.

In reality, the fake login page that opens up when a user clicks on the image is actually an inline file created using a scheme called Data URI. When users enter their Gmail username and password on the page, the data is sent to the attacker.

Maunder pointed to comments on discussion boards, which have noted that attackers log into a compromised account as soon as they obtain the credentials for it. The speed at which the attackers sign into a compromised account suggest that the process may be automated, or that they may have a team standing by to access accounts as they get compromised.

"Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," Maunder said.

What makes the phishing technique dangerous is the way the address bar displays information when users click on the screenshot of the attachment, he told Dark Reading. Normally, users can easily spot spoofed websites and pages by looking at the address bar in the browser.

In this case, by including the correct host name and “https//” in the address bar, the attackers appear to be having more success fooling victims into entering their credential data on the fake Gmail login page, he says.

The usual green and red indicators that inform users when they are on a safe or unsafe website are not present. Instead, all of the content in the address bar is of the same color and is designed to convince users that the site is harmless.

The only indication that something is awary a string ‘data.text/html’ in the address bar just before the usual ‘https://accounts.google.com,' Maunder said. "If you aren’t paying close attention, you will ignore the ‘data:text/html’ preamble and assume the URL is safe."

Google said in a statement that it's working on mitigations to such an attack. "We're aware of this issue and continue to strengthen our defenses against it," Google said. "We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."

Wordfence's Maunder says the attack shows why users should verify both the protocol and the hostname in the address bar when signing into a website. Users can also mitigate the risk of their accounts being compromised via phishing by enabling two-factor authentication.

"What makes this unique is the fact that none of the traditional browser indicators that would identify a possible fraudulent site are present," says Robert Capps, vice president of business development at NuData Security.

"Users have been trained to look for the presence or absence of browser indicators," such as the HTTPS:// and lock icon in the URL, Capps says. Google has gone a step further with Chrome by specifically highlighting when a website poses a risk via a security notification.

"Many users, including those that identify as being technically savvy, have become accustomed to looking for these risk indicators, and when not present, assume it is safe to interact with the website," Capps says.

The attack underscores the need for Web browser makers to rethink the trust signals they use to inform users about a danger webpage or exploit. "How users interpret these signals should be thoroughly understood," he says. "Entraining users to rely on signals may have unintended consequences that attackers can use to exploit customers."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
CVE-2019-8908
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...
CVE-2019-8909
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.