Crafty Phishing Technique Can Trick Even Tech-Savvy Gmail Users

Gmail users in recent months have been targeted by a sophisticated series of phishing attacks that use emails from a known contact whose account has been compromised. The emails contain an image of an attachment that appears to be legitimate, according to Wordfence.

The sophisticated attack displays “” in the browser’s location bar and leads users to what appears to be a legitimate Google sign-in page where they are prompted to supply their credentials, which then become compromised.

The technique works so well that many experienced technical users have fallen prey to the scam, noted Mark Maunder, CEO of Wordfence. Many have shared warnings on Facebook to alert family and friends, given that the technique has exploited otherwise trusted contacts so successfully.

Google’s Reply

Google has been aware of the issue at least since mid-January, based on comments from Google Communications’ Aaron Stein, which WordPress characterized as an “official statement” from the company.

Google was continuing to strengthen its defenses, Stein said, adding that it was using machine learning-based detection of phishing messages, safe browsing warnings of dangerous links in emails, and taking steps to prevent suspicious sign-ins.

Users could take advantage of two-factor authentication to further protect their accounts, he suggested.

Wordfence last month noted that Google Chrome released 56.0.2924, which changes the behavior of the browser’s location bar. The change results in the display of not secure messages when users see a data URL.

Google last month announced additional steps to protect G Suite customers against phishing, using Security Key enforcement. The technique helps administrators protect their employees using only security keys as the second factor.

Bluetooth low energy Security Key support, which works on Android and iOS mobile devices, is another user option.

Realistic View

Recent changes in Chrome and Firefox browsers have mitigated some of these types of attacks, observed Patrick Wheeler, director of threat intelligence at Proofpoint.

However, a variety of techniques are used to target users, he pointed out.

Attackers create extremely realistic landing pages, use Javascript to obfuscate and encrypt pages and contents, and host documents directly on Google drive, he told TechNewsWorld.

They recently have used PDFs to make it appear that users already are logged onto Google Docs — then users are prompted for a login when they move the mouse over the PDF.

Attacks such as these are a type of cat-and-mouse game in the sense that attackers will find more sophisticated entry points as cyberdefense methods improve, noted Javvad Malik, security associate at AlienVault.

“This shows the increasing maturity of cybercriminals,” he told TechNewsWorld. “As they become more organized and better funded, mainly through the proceeds of crime, they can invest time and resources into tweaking attack methods to become more effective.”

Difficult Defense

Attacks like phishing and social engineering are among the most common methods of entry, according to Sam Elliott, director of security product management at Bomgar.

Attacks like these often target privileged users with access to sensitive data, he said.

“While companies are aware of this, providing security around these types of users without limiting their ability to do their jobs effectively is difficult,” Elliott told TechNewsWorld.

Defining “privileged user” poses additional challenges for companies, even those with sophisticated security protocols, he added.

Despite the challenges it poses, “like any phishing scam, this one has a limited lifespan,” observed Mark Nunnikhoven, vice president for cloud research at Trend Micro.

“Because it impacts a very specific audience, there’s also a central point to prevent this scam,” he told TechNewsWorld.

Google likely will deploy image recognition and URL filtering to prevent this campaign from continuing, Nunnikhoven said.

Google did not respond to our request to comment for this story.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

1 Comment

  • Let’s face it, people are not your typical loser geeks in mom’s basement hacking stuff anymore. The Russian hacking of Yahoo, the Sony breech, and many retail credit card hacks prove that some have found a lucrative business in hacking and that these people are organized and very skilled. So now end users are going to have to step up their game as well and recognize these fakes better. Sadly the mainstream media is too focused on digging up dirt on Trump to deliver real news people can use. Honestly, if the Yahoo breech was Trump’s fault, you would have got wall to wall coverage. Two step verifications seems to be the only real end user protection that works.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels