Last week, there was an email going around that looked to be from Netflix, except that it is not from Netflix. It asked subscribers to update their personal and financial information. And that would include their credit card and social security numbers. But Netflix does not ask for its customers’ SS.
This week, Gmail users became the victim of another scam. Unlike the Netflix scam, this Gmail phishing attack looks legitimate.
This is how Wordfence, a developer of a security plugin for WordPress, described the fraud:
“The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.”
In a legitimate email, Gmail will give you a preview of the attachment. But in this scam, after clicking on the image, a new tab will open up. From there, Gmail will ask you to sign in again. Because it looks legitimate, you complete the sign in information. Doing so will make your account compromised.
The attack happens very quickly. Once the attackers accessed your account, they have full access to your Gmail account. That means they can download everything in your email. Because they have a control to your email address, they could use other services associated with your account by using the password reset mechanism.
This phishing technique is somewhat dangerous because of how the address bar displays the information when you click on the attachment. In this attack, the attackers use the correct hostname, and there is the “https//“ in the address bar. As a result, they have more success in fooling their victims into entering their data onto a fake Gmail login page.
However, even though the address bar shows an “https,” the common green indicator that informs users that the website was safe is not present. Instead, the content in the address bar has the same color. Thus, it has convinced users that the site is indeed harmless.
Then again, if you examine carefully, the address bar has a “data.text/html” in the address bar before the https://accounts.google.com. If failed to look at it before signing in, you will ignore the data:text/html. You will immediately assume that it is safe to proceed.
That said, it is always safe to look at the location bar in your browser before you sign in. In this way, you can avoid any phishing attacks that allow scammers to steal your username and password.
“Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.”
“The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are – obviously – trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.”