Crafty Phishing attacking Gmail Users

Gmail users in recent months have been targeted by a sophisticated series of phishing attacks that use emails from a known contact whose account has been compromised. The emails contain an image of an attachment that appears to be legitimate, according to Wordfence.

The sophisticated attack displays “accounts.gmail.com” in the browser’s location bar and leads users to what appears to be a legitimate Google sign-in page where they are prompted to supply their credentials, which then become compromised.

The technique works so well that many experienced technical users have fallen prey to the scam, noted Mark Maunder, CEO of Wordfence. Many have shared warnings on Facebook to alert family and friends, given that the technique has exploited otherwise trusted contacts so successfully.

Google’s Reply

Google has been aware of the issue at least since mid-January, based on comments from Google Communications’ Aaron Stein, which WordPress characterized as an “official statement” from the company.

Google was continuing to strengthen its defenses, Stein said, adding that it was using machine learning-based detection of phishing messages, safe browsing warnings of dangerous links in emails, and taking steps to prevent suspicious sign-ins.

Users could take advantage of two-factor authentication to further protect their accounts, he suggested.

Wordfence last month noted that Google Chrome released 56.0.2924, which changes the behavior of the browser’s location bar. The change results in the display of not secure messages when users see a data URL.

Google last month announced additional steps to protect G Suite customers against phishing, using Security Key enforcement. The technique helps administrators protect their employees using only security keys as the second factor.

Bluetooth low energy Security Key support, which works on Android and iOS mobile devices, is another user option.

Realistic View

Recent changes in Chrome and Firefox browsers have mitigated some of these types of attacks, observed Patrick Wheeler, director of threat intelligence at Proofpoint.

Attackers create extremely realistic landing pages, use Javascript to obfuscate and encrypt pages and contents, and host documents directly on Google drive, he told TechNewsWorld.

They recently have used PDFs to make it appear that users already are logged onto Google Docs — then users are prompted for a login when they move the mouse over the PDF.

Attacks such as these are a type of cat-and-mouse game in the sense that attackers will find more sophisticated entry points as cyberdefense methods improve, noted Javvad Malik, security associate at AlienVault.

“This shows the increasing maturity of cybercriminals,” he told TechNewsWorld. “As they become more organized and better funded, mainly through the proceeds of crime, they can invest time and resources into tweaking attack methods to become more effective.”