Attacks/Breaches
1/17/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Dangerous New Gmail Phishing Attack Gaining Steam

None of the usual browser indicators of fraudulent websites are present in this method of phishing.

[UPDATED 1/18/17 1:05pmET with comment from Google]

One of the best ways to tell if a website that is asking for your username and password is genuine or not is to look at the address bar in your browser that points to the site's true origin. But sometimes that simple precaution isn't enough.

A case in point is a dangerous phishing technique targeting Gmail users that first surfaced about one year ago but has begun gaining steam in recent weeks.

Wordfence, the maker of a security plugin for Wordpress, described the phishing attack as beginning with an adversary sending an email to a target’s Gmail account. The email typically will originate from someone on the recipient’s contact list whose own account had previously been compromised.

The email comes with a subject header and a screenshot or image of an attachment that the sender has used in a recent communication with the recipient. When the recipient clicks on the image, a new tab opens with a prompt asking the user to sign into Gmail again.

The fully functional phishing page is designed to look exactly like Google’s page for signing into Gmail. The address bar for the page includes mention of accounts.google.com, leading unwary users to believe the page is harmless, Wordfence CEO Mark Maunder wrote. "Once you complete sign-in, your account has been compromised," he said.

In reality, the fake login page that opens up when a user clicks on the image is actually an inline file created using a scheme called Data URI. When users enter their Gmail username and password on the page, the data is sent to the attacker.

Maunder pointed to comments on discussion boards, which have noted that attackers log into a compromised account as soon as they obtain the credentials for it. The speed at which the attackers sign into a compromised account suggest that the process may be automated, or that they may have a team standing by to access accounts as they get compromised.

"Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," Maunder said.

What makes the phishing technique dangerous is the way the address bar displays information when users click on the screenshot of the attachment, he told Dark Reading. Normally, users can easily spot spoofed websites and pages by looking at the address bar in the browser.

In this case, by including the correct host name and “https//” in the address bar, the attackers appear to be having more success fooling victims into entering their credential data on the fake Gmail login page, he says.

The usual green and red indicators that inform users when they are on a safe or unsafe website are not present. Instead, all of the content in the address bar is of the same color and is designed to convince users that the site is harmless.

The only indication that something is awary a string ‘data.text/html’ in the address bar just before the usual ‘https://accounts.google.com,' Maunder said. "If you aren’t paying close attention, you will ignore the ‘data:text/html’ preamble and assume the URL is safe."

Google said in a statement that it's working on mitigations to such an attack. "We're aware of this issue and continue to strengthen our defenses against it," Google said. "We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."

Wordfence's Maunder says the attack shows why users should verify both the protocol and the hostname in the address bar when signing into a website. Users can also mitigate the risk of their accounts being compromised via phishing by enabling two-factor authentication.

"What makes this unique is the fact that none of the traditional browser indicators that would identify a possible fraudulent site are present," says Robert Capps, vice president of business development at NuData Security.

"Users have been trained to look for the presence or absence of browser indicators," such as the HTTPS:// and lock icon in the URL, Capps says. Google has gone a step further with Chrome by specifically highlighting when a website poses a risk via a security notification.

"Many users, including those that identify as being technically savvy, have become accustomed to looking for these risk indicators, and when not present, assume it is safe to interact with the website," Capps says.

The attack underscores the need for Web browser makers to rethink the trust signals they use to inform users about a danger webpage or exploit. "How users interpret these signals should be thoroughly understood," he says. "Entraining users to rely on signals may have unintended consequences that attackers can use to exploit customers."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.