This article is more than 1 year old
Brilliant phishing attack probes sent mail, sends fake attachments
Strategy_Doc.PDF from the next cubicle is actually a portal to p0wnage
UPDATE An newly-detected Gmail phishing attack sees criminals hack and then rifle through inboxes to target account owners' contacts with thoroughly convincing fake emails.
The new attack uses the file names of sent attachments and applies that name into new attachments that appear to be PDFs but are actually images that, when clicked, send victims to phishing pages.
Suitable subject lines stolen from sent emails are applied to the new phishing emails, making the mischievous messages more legitimate.
Even the URL to which the attachments point is crafted to appear legitimate, bearing the google.com domain, says WordFence chief executive officer Mark Maunder who reported the attacks.
"You are probably thinking you’re too smart to fall for this: It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it," Maunder says.
"It is being used right now with a high success rate … this technique can be used to steal credentials from many other platforms with many variations in the basic technique."
The phishing landing page. Image: WordFence.
Users who fall for the attacks can be saved by two factor authentication.
One user claiming to be a system administrator at a school says the attacks compromised students and three staff within two hours, using an athletic schedule paired with a subject line to pull off the attacks.
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh
— Tom Scott (@tomscott) December 23, 2016
Attackers use the data URI scheme to embed a file in the browser location bar which executes once their malicious attachment is clicked, displaying the fake Google login page and google.com address.
Keen eyed users may spot the URL prefix data:text/html or the lower resolution Google image in the phishing page.
White space separates and hides the URL from the file text which invokes the phishing page in a new browser tab.
Maunder says the phishing attacks do not trigger Google's green or red secure and insecure HTTPS security indicators, giving it an appearance of uniformity that makes the attacks highly effective.
"In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected," he says.
He recommends Google change the colour of the data:text/html
prefix to amber which would grab user's attention. ®
UPDATE: Google's been in touch with the following statement:
“We're aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”