Security experts say a “highly effective” phishing scam has been tricking Google Gmail users into sharing their passwords.
It’s not a new scam – it’s been around for a few months and researchers at WordFence, a team that made a widely used security tool for the blogging website WordPress, warned of the attack recently and said it had a “wide impact, even on experienced technical users.” WordFence occasionally sends out alerts about security issues outside of WordPress that “are urgent and have a wide impact on our customers and readers.”
“Unfortunately this is one of those alerts,” WordFence noted.
The way the attack works is that an attacker will send an email to a Gmail account. That email might come from someone you know or an email address you recognize, but that account has been compromised. It may also include something that looks like an image of an attachment you recognize from the sender.
But once you click on the image, expecting Gmail to give you a preview of the attachment, instead a new tab opens in your web browser and you’re prompted by Gmail to sign in again. Once you sign in, your account has been compromised.
The sign-in page appears legitimate. The Google logo and entry fields for email address and passwords look the same.
The attacker signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised, WordFence warned. Once attackers have access to your account, they also have full access to all your emails, including sent and received messages.
And it’s not just your Gmail account you should be concerned about. Anything you use the email address to log into could be compromised if the attackers use a password reset mechanism to change your passwords for other sites, like your bank account or online shopping websites.
Users in the Hacker News forum said it’s “the most sophisticated attack” they’d seen, and that attackers log into the email account immediately once they get the login credentials and use the email address to spread the scam further by accessing the contact list and sending an infected attachment.
How to protect yourself
When you click on the false attachment and it launches a new tab, the URL in the web browser will read “accounts.google.com” but to protect yourself, you need to look more carefully at the URL.
The scam is using a “data URL” to include a file in the browser bar. When you see a URL that begins with “data:text/htm;” it’s actually a long string of text, and when you widen the bar, you can see the text, which is actually a file that opens the fake Gmail login page to send your credentials to the attacker.
When you sign into any service, you should check the browser bar to verify the protocol and hostname. It should appear as “https://accounts.google.com” and nothing should be before “accounts.google.com” except “https://” and the lock symbol on the left which may be followed by the word “secure.”
If you can’t verify the protocol and hostname, stop and think about what you’ve clicked on before you proceed.
Gmail users can also enable two-factor authentication or “2-step verification” to add an extra layer of security to your email account. Some other websites and services offer a similar option.
This extra security step makes it much more challenging for an attacker to sign into a service you use, even if they’ve managed to steal your password, though it’s not foolproof.
Gmail users concerned that their account may have been hacked can change their passwords or check login activity to find out if someone else is accessing the account.
Google has provided the following prepared statement to users and news organizations seeking information about the phishing scam.
“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, ‘safe browsing’ warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”