An effective new phishing attack is hitting Gmail users and tricking many into inputing their credentials into a fake login page.
How the attack unfolds
The phishers start by compromising a Gmail account, then they rifle through the emails the user has recently received.
After finding one with an attachment, they create an image (screenshot) of it and include it in a reply to the sender. They use the same or similar subject line for the email, to invoke recognition and automatic trust.
“You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again,” WordFence CEO Mark Maunder warns.
The phishing page is a good copy of Gmail’s login page, and its URL contains the accounts.google.com subdomain, which is enough to fool many into believing that they are on a legitimate Google page.
“This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text,” Maunder explained.
In short, this text is a file that opens in a new tab and creates a completely functional fake Gmail login page, and those who enter the asked-for credentials deliver them directly to the attackers.
Once in possession of the credentials, the attackers sign into the account quickly. They either have a team ready to do it as soon as login credentials for an account are made available, or have automated this part.
And once they gain access to a new account, the attack chain starts all over again, with the latest victim’s contacts as the new targets.
Why is it so effective?
According to Maunder, the attack is so effective that even some tech-savvy users have fallen or almost fallen for it.
One of the reasons is that people can easily miss that the URL of the fake login page sports “‘data:text/html” before the usual “https://…..”.
Another reason is that the browser does not show the red warning and icon usually used by Google to point out insecure pages:
“In this [attack] the ‘data:text/html’ and the trusted hostname are the same color. That suggests to our perception that they’re related and the ‘data:text/html’ part either doesn’t matter or can be trusted,” Maunder explains, and advises Google to change the way ‘data:text/html’ is displayed in the browser.
Users are urged to be careful and to protect themselves by using Gmail’s two-factor authentication option.