Researchers have discovered a new phishing attack that is currently underway that is targeting Google Gmail accounts in a sophisticated way.
What’s interesting about this specific attack is that it uses a new method, one that could even lure tech savvy users into its trap.
The attacks begin with compromised Gmail accounts. The attackers use the compromised account to send emails to email addresses in the compromised account’s address book.
These emails come from a legitimate address therefore, and the attackers seem to use legitimate email messages for the attacks. They contain what looks like an attachment, a PDF or spreadsheet for instance, something that may have been sent in the past already.
When you click on the attachment, you are taken to a Gmail login page on a new tab in the browser.
This page looks like Google’s Gmail login page, and the only indication that something is wrong comes from the address field.
It does not begin with https://accounts.google.com/, but with data:text/html. Also, since the page is not HTTPS, you don’t get a green or red indicator either. Those are the only indicators that something is wrong. If you copy and paste the URL, you will notice that it contains whitespace after the official Gmail URL, and then an obfuscated string.
The main issue that helps the attacker is that it happens that Gmail may ask you to sign in again to your account at times, and that the actual Gmail address is listed in the address bar as well.
If you just glance at it, you may see https:// accounts.google.com/, and think that everything is alright.
You should be save if you follow the basic rules when it comes to phishing, as one of them is that you have to check the address of the page at all times before you do anything on it.
In short, if the URL does not start with https:// it is definitely fake, at least in the case of Gmail and any modern service that supports https://.
I can see how even experienced users fall for that trap though, considering that the emails come from a legitimate contact and not some fake address.
It may also be easy enough to overlook the fact that the attached PDF is an embedded image instead. You may notice that something is wrong when the attachment takes you to another page.
The attackers try their best to hide the that fact, as they use the page title “you have been signed out” which users may focus on instead of the actual web address they are on.
Another thing that should let the alarm bells ring is that the page that opens asks for the user’s email address and password. Google usually won’t when that happens.
Accounts with two-factor authentication are better protected against these phishing attacks. It is however possible for attackers to request the two-factor authentication code from the user as well if they attack the account in real-time.
Google seems to consider adding a “not secure” tag to data: and blob: elements in the address bar, but nothing is set in stone yet.
Data is not entirely new when it comes to phishing. We reported about data being used for phishing attacks back in 2014, and that is probably not the first occasion it was used for that.
The attackers target Gmail currently, but nothing is stopping them from moving on to a different email provider.
Now You: Would you have fallen for the attack?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.