Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/17/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Dangerous New Gmail Phishing Attack Gaining Steam

None of the usual browser indicators of fraudulent websites are present in this method of phishing.

[UPDATED 1/18/17 1:05pmET with comment from Google]

One of the best ways to tell if a website that is asking for your username and password is genuine or not is to look at the address bar in your browser that points to the site's true origin. But sometimes that simple precaution isn't enough.

A case in point is a dangerous phishing technique targeting Gmail users that first surfaced about one year ago but has begun gaining steam in recent weeks.

Wordfence, the maker of a security plugin for Wordpress, described the phishing attack as beginning with an adversary sending an email to a target’s Gmail account. The email typically will originate from someone on the recipient’s contact list whose own account had previously been compromised.

The email comes with a subject header and a screenshot or image of an attachment that the sender has used in a recent communication with the recipient. When the recipient clicks on the image, a new tab opens with a prompt asking the user to sign into Gmail again.

The fully functional phishing page is designed to look exactly like Google’s page for signing into Gmail. The address bar for the page includes mention of accounts.google.com, leading unwary users to believe the page is harmless, Wordfence CEO Mark Maunder wrote. "Once you complete sign-in, your account has been compromised," he said.

In reality, the fake login page that opens up when a user clicks on the image is actually an inline file created using a scheme called Data URI. When users enter their Gmail username and password on the page, the data is sent to the attacker.

Maunder pointed to comments on discussion boards, which have noted that attackers log into a compromised account as soon as they obtain the credentials for it. The speed at which the attackers sign into a compromised account suggest that the process may be automated, or that they may have a team standing by to access accounts as they get compromised.

"Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," Maunder said.

What makes the phishing technique dangerous is the way the address bar displays information when users click on the screenshot of the attachment, he told Dark Reading. Normally, users can easily spot spoofed websites and pages by looking at the address bar in the browser.

In this case, by including the correct host name and “https//” in the address bar, the attackers appear to be having more success fooling victims into entering their credential data on the fake Gmail login page, he says.

The usual green and red indicators that inform users when they are on a safe or unsafe website are not present. Instead, all of the content in the address bar is of the same color and is designed to convince users that the site is harmless.

The only indication that something is awary a string ‘data.text/html’ in the address bar just before the usual ‘https://accounts.google.com,' Maunder said. "If you aren’t paying close attention, you will ignore the ‘data:text/html’ preamble and assume the URL is safe."

Google said in a statement that it's working on mitigations to such an attack. "We're aware of this issue and continue to strengthen our defenses against it," Google said. "We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."

Wordfence's Maunder says the attack shows why users should verify both the protocol and the hostname in the address bar when signing into a website. Users can also mitigate the risk of their accounts being compromised via phishing by enabling two-factor authentication.

"What makes this unique is the fact that none of the traditional browser indicators that would identify a possible fraudulent site are present," says Robert Capps, vice president of business development at NuData Security.

"Users have been trained to look for the presence or absence of browser indicators," such as the HTTPS:// and lock icon in the URL, Capps says. Google has gone a step further with Chrome by specifically highlighting when a website poses a risk via a security notification.

"Many users, including those that identify as being technically savvy, have become accustomed to looking for these risk indicators, and when not present, assume it is safe to interact with the website," Capps says.

The attack underscores the need for Web browser makers to rethink the trust signals they use to inform users about a danger webpage or exploit. "How users interpret these signals should be thoroughly understood," he says. "Entraining users to rely on signals may have unintended consequences that attackers can use to exploit customers."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...