A Gmail phishing attack has recently brought itself back around after the debut of the technique last year. Security researchers say that it’s highly effective and that even experienced, tech-savvy users are being tricked by it.
The attack begins with an email that purports to be someone you know, along with an image of an attachment the victim might recognize from the sender. When the victim clicks on the image, expecting Gmail to pop up a preview of the attachment, a new tab opens up and users are prompted by Gmail to sign in again.
Insidiously, the location bar looks legit: accounts.google.com, and the fully functional sign-in page is a perfect copy-cat of the real Gmail deal.
Once they get those credentials, the attackers log into the account for full access to all emails, including sent and received. They could also compromise a wide variety of other services that a victim uses, by using the password reset mechanism.
To boot, the attackers send a mail to everyone on the contact list, using one of the victim’s actual attachments and actual subject lines, to propagate the infection.
“For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team,” explained Mark Maunder, a researcher at Wordfence, in a posting. “The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.”
The impact of this attack could be widespread, and also an issue for businesses. Brian Stafford, the CEO of Diligent, noted that the use of free email service providers (ESPs) among board members – the enterprise elite – is widespread. He found that more than 30% of US board members are using a free ESP to conduct business, and Google, at 44%, is the No. 1 most commonly used.
“Companies and executives that use Android devices for work purposes should immediately check to see if their accounts have been compromised, take an inventory of materials saved and shared on Google Docs/Drive and alert their security and compliance teams immediately to begin any necessary mitigation activities that need to occur,” said Stafford.
So how to protect against the attack? Closely examining the URL for the sign-in page is one way – although it’s been carefully designed to fool most people.
“You are probably thinking you’re too smart to fall for this,” Maunder said. “It turns out that this attack has caught, or almost caught, several technical users who have either tweeted, blogged or commented about it.”
A better option would be to enable two-factor authentication.
“Once again, we are reminded of the danger of relying on any password as the only means of securing access to systems, apps or data,” said Corey Williams, senior director of products and marketing at Centrify, via email. “While it is always prudent to check the URL of a link before clicking on it to verify it is spelled correctly and is a valid site, a more reliable defense against attackers is to enable two factor authentication (offered by Gmail since 2011!).”