Effective Gmail Phishing Attack Being Exploited

Effective Gmail Phishing Attack Being Exploited

First reported by Wordfence, a new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….

You go ahead and sign in on a fully functional sign-in page that looks like this:

GMail data URI phishing sign-in page

Once you complete sign-in, your account has been compromised.

So, how does it work then?...

This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

GMail phishing data uri showing script

In Summary

  • Ensure your users enable 2FA
  • Provide training to further highlight risks so users can be as vigilant as possible
  • Look at other available preventative security measures offered by Google, such as the Password Alert Chrome extension

If you use GMail, you can check your login activity to find out if someone else is signing into your account.

Comments are closed.