Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/17/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Dangerous New Gmail Phishing Attack Gaining Steam

None of the usual browser indicators of fraudulent websites are present in this method of phishing.

[UPDATED 1/18/17 1:05pmET with comment from Google]

One of the best ways to tell if a website that is asking for your username and password is genuine or not is to look at the address bar in your browser that points to the site's true origin. But sometimes that simple precaution isn't enough.

A case in point is a dangerous phishing technique targeting Gmail users that first surfaced about one year ago but has begun gaining steam in recent weeks.

Wordfence, the maker of a security plugin for Wordpress, described the phishing attack as beginning with an adversary sending an email to a target’s Gmail account. The email typically will originate from someone on the recipient’s contact list whose own account had previously been compromised.

The email comes with a subject header and a screenshot or image of an attachment that the sender has used in a recent communication with the recipient. When the recipient clicks on the image, a new tab opens with a prompt asking the user to sign into Gmail again.

The fully functional phishing page is designed to look exactly like Google’s page for signing into Gmail. The address bar for the page includes mention of accounts.google.com, leading unwary users to believe the page is harmless, Wordfence CEO Mark Maunder wrote. "Once you complete sign-in, your account has been compromised," he said.

In reality, the fake login page that opens up when a user clicks on the image is actually an inline file created using a scheme called Data URI. When users enter their Gmail username and password on the page, the data is sent to the attacker.

Maunder pointed to comments on discussion boards, which have noted that attackers log into a compromised account as soon as they obtain the credentials for it. The speed at which the attackers sign into a compromised account suggest that the process may be automated, or that they may have a team standing by to access accounts as they get compromised.

"Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," Maunder said.

What makes the phishing technique dangerous is the way the address bar displays information when users click on the screenshot of the attachment, he told Dark Reading. Normally, users can easily spot spoofed websites and pages by looking at the address bar in the browser.

In this case, by including the correct host name and “https//” in the address bar, the attackers appear to be having more success fooling victims into entering their credential data on the fake Gmail login page, he says.

The usual green and red indicators that inform users when they are on a safe or unsafe website are not present. Instead, all of the content in the address bar is of the same color and is designed to convince users that the site is harmless.

The only indication that something is awary a string ‘data.text/html’ in the address bar just before the usual ‘https://accounts.google.com,' Maunder said. "If you aren’t paying close attention, you will ignore the ‘data:text/html’ preamble and assume the URL is safe."

Google said in a statement that it's working on mitigations to such an attack. "We're aware of this issue and continue to strengthen our defenses against it," Google said. "We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."

Wordfence's Maunder says the attack shows why users should verify both the protocol and the hostname in the address bar when signing into a website. Users can also mitigate the risk of their accounts being compromised via phishing by enabling two-factor authentication.

"What makes this unique is the fact that none of the traditional browser indicators that would identify a possible fraudulent site are present," says Robert Capps, vice president of business development at NuData Security.

"Users have been trained to look for the presence or absence of browser indicators," such as the HTTPS:// and lock icon in the URL, Capps says. Google has gone a step further with Chrome by specifically highlighting when a website poses a risk via a security notification.

"Many users, including those that identify as being technically savvy, have become accustomed to looking for these risk indicators, and when not present, assume it is safe to interact with the website," Capps says.

The attack underscores the need for Web browser makers to rethink the trust signals they use to inform users about a danger webpage or exploit. "How users interpret these signals should be thoroughly understood," he says. "Entraining users to rely on signals may have unintended consequences that attackers can use to exploit customers."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29043
PUBLISHED: 2021-05-17
The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the S3 store's proxy password, which allows attackers to steal the proxy password via man-in-the-middle a...
CVE-2021-29044
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Site module's membership request administration pages in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 allows remote attackers to inject arbitrary we...
CVE-2021-29045
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Redirect module's redirection administration page in Liferay Portal 7.3.2 through 7.3.5, and Liferay DXP 7.3 before fix pack 1 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_redirect_web_internal_portlet_RedirectPor...
CVE-2021-29046
PUBLISHED: 2021-05-17
Cross-site scripting (XSS) vulnerability in the Asset module's category selector input field in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_asset_categories_admin_web_portlet_AssetCategoriesAdminPortl...
CVE-2021-29053
PUBLISHED: 2021-05-17
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C.