A large number of Gmail phishing attacks was reported in the media this week. While the phishing scam is not previously unseen – it was first identified around 12 months ago – cybercriminals have activated the campaign once more. The phishing emails are used to access Gmail login credentials are highly realistic,. A number of different tactics are used to avoid being detected some of which are likely to trick even the most security aware individuals.
The Gmail phishing attacks begin with an email sent to a Gmail account. Security aware persons would be wary about an email arriving from an unknown source. However, these attacks involve emails sent from a contact in the target’s address book. The email addresses are not hidden to make them look like they have come from a contact. The email is actually shared from a contact’s account that has already been compromised.
Email users are far more likely to open emails that come from their contacts. Many people do not perform any additional checks if the sender is known to them. They believe that emails are genuine solely from the source.
However, that is not the only tactic used to fool targets. The hackers also use data that has been taken from the contact’s sent and received messages and add this to the email. An screenshot or an attachment/image that has already been included in an earlier email between the contact and the target is included in the message. Even if the target is a little suspicious about receiving an email, these additional touches should allay worry.
The target of the email is to get the email user to click on the image screenshot. If they do this they will be directed them to a Gmail login page where the target is needed to sign in again. While this is perhaps odd, the page that the user is directed to looks exactly as it it supposed to. The page exactly mirrors what the user would usually expect.
Reviewing the website address bar should confirm that the site is not genuine; however, in this case it does not. The address bar confirms if the site is secure – HTTPS – and the web address includes accounts.google.com. The only evidence of the scam is the inclusion of ‘data.text/html’ before accounts.google.com in the address bar.
Providing account credentials will share that information directly to the hackers. The response is extremely quick. Account details are immediately used to log into the victim’s account. Before the victim even thinks they have been scammed, the entire contents of their Gmail account could be taken, including sent and received emails and the address book. Contacts will be subjected to these Gmail phishing attacks in the same manner.