Local Community Advertising
A new phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.
According to Mark Maunder of Wordfence, an attacker will send an email to your Gmail account that may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.
If you click on the image, expecting Gmail to give you a preview of the attachment, a new tab will open up and you will be prompted by Gmail to sign in again.
Once you complete sign-in, your account has been compromised.
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list,” said a commenter on Hacker News.
“For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
Once they have access to your account, the attacker also has full access to all your emails including sent and received up to this point.
Now that they control your email address, and gain access to tons of other services using password retrieval.
How to protect yourself against this phishing attack
This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text.
Instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘https://accounts.google.com….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.
When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname.
Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left.
Enable two factor authentication if it is available on every service that you use. Gmail calls this “2- step verification.” Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique.
There is no sure way to check if your account has been compromised. If in doubt, change your password immediately. Changing your password every few months is good practice in general.
Local Community Advertising